Non-transferable anonymous credential system with optional anonymity revocation

ABSTRACT

The present invention relates to a method and system for securely proving ownership of pseudonymous or anonymous electronic credentials. A credential system is described consisting of users and organizations. An organization knows a user only by a pseudonym. The pseudonyms of the same user, established for use with different organizations, cannot be linked. An organization can issue a credential to a pseudonym, and the corresponding user can prove possession of this credential to another organization that knows him under another pseudonym. During the prove of possession of the credential nothing besides the fact that he owns such a credential is revealed. A refinement of the credential system provides credentials for unlimited use, so called multiple-show credentials, and credentials for one-time use, so called one-show credentials.

BACKGROUND OF THE INVENTION

[0001] 1. Field of the Invention

[0002] The present invention relates to the field of computer networkmanagement, it specifically concerns a method and a technicalimplementation for secure data exchange over a computer network. Moreparticularly, the present invention relates to a method and system forsecurely proving ownership of pseudonymous or anonymous electroniccredentials.

[0003] 2. Description of the Related Art

[0004] Since the mid 1990s one of the most rapidly growing retailsectors is referred to as electronic commerce. Electronic commerceinvolves the use of the Internet and proprietary networks to facilitatebusiness-to-business, consumer, and auction sales of everythingimaginable, from computers and electronics to books, recordings,automobiles, and real estate. In such an environment consumer privacy isbecoming a major concern.

[0005] However, the mere fact that electronic commerce is conducted overan existing open network infrastructure such as the Internet runscounter to the privacy of the consumer. Often, there are legitimatereasons for a party to remain anonymous.

OBJECT OF THE INVENTION

[0006] Starting from this, the object of the present invention is toprovide a method and a system for securely proving ownership ofpseudonymous or anonymous electronic credentials, wherein a party thatproves its ownership of the credential can stay anonymous, i.e., thatdoes not need to reveal its identity.

BRIEF SUMMARY OF THE INVENTION

[0007] The foregoing object is achieved by a method and a system as laidout in the independent claims. Further advantageous embodiments of thepresent invention are described in the sub claims and are taught in thefollowing description.

[0008] In the independent claims the same invention, and moreparticularly, the same system is described having closely relatedmethods. First a user has to join the whole system. Then, the user isable to establish more connections to different organizations, which arealso belonging to the system. Finally, the user is able to showrespective credentials, which the user gathered before to a verifier (orfurther organizations). Hence, all such methods realising a singlesystem which is based on the present invention.

[0009] As the collection and exploitation of secret information becomemore of a concern, users are less willing to give out information, andmay want to conduct transactions under a pseudonym or anonymously. Forexample, a user in a pseudonymous or anonymous transaction may receive acredential stating that, e.g., he made a payment for a newspapersubscription. The user might want to use the credential at a later pointin time or several times in the future to prove that the particulartransaction took place, e.g., that the user is entitled to read articlesin the newspaper.

[0010] The method and system for proving ownership of an electroniccredential in accordance with the present invention is to be used in acommunication system providing a public key encryption infrastructure.That is a system of public key encryption using digital certificatesfrom certificate authorities and other registration authorities thatverify and authenticate the validity of each party involved in anelectronic transaction. The certificate authority, also called “TrustedThird Party”, is an entity, typically a company, that issues digitalcertificates to other entities like organizations or individuals toallow them to prove their identity to others. The certificate authoritymight be an external company that offers digital certificate services orit might be an internal organization such as a corporate MIS (ManagementInformation System) department. The Certificate Authority's chieffunction is to verify the identity of entities and issue digitalcertificates attesting to that identity.

[0011] In comparison, public key encryption is an encryption scheme,where each person gets a pair of keys, called the public key and thesecret key. Each person's public key is published while the secret keyis kept secret. Messages are encrypted using the intended recipient'spublic key and can only be decrypted using his secret key. This ismechanism can also be used for or in conjunction with a digitalsignature.

[0012] The digital signature is formed by extra data appended to amessage which identifies and authenticates the sender and message datausing public-key encryption. The sender uses a one-way hash function togenerate a hash-code of, for example, 160 bits from the message data. Hethen encrypts the hash-code with his secret key. The receiver computesthe hash-code from the data as well and decrypts the received hash withthe sender's public key. If the two hash-codes are equal, the receivercan be sure that data has not been corrupted and that it came from thegiven sender.

[0013] The need for sender and receiver to share secret information,e.g., keys, via some secure channel is eliminated, since allcommunications involve only public keys, and no secret key is evertransmitted or shared. Public-key encryption can be used forauthentication, confidentiality, integrity and non-repudiation. RSAencryption is an example of a public-key cryptography system.

[0014] The one-way hash function, also called “message digest function”,used for the digital signature is a function which takes avariable-length message and produces a fixed-length hash. Given the hashit is computationally impossible to find a message with that hash. Infact, one cannot determine any usable information about a message withthat hash, not even a single bit. For some one-way hash functions it isalso computationally impossible to determine two messages which producethe same hash. A one-way hash function can be secret or public, justlike an encryption function. A public one-way hash function can be usedto speed up a public-key digital signature system. Rather than signing along message which can take a long time, the one-way hash of the messageis computed, and the hash is digitally signed.

[0015] A new credential system is described consisting of users andorganizations. An organization knows a user only by a pseudonym. Thepseudonyms of the same user, established for use with differentorganizations, cannot be linked. An organization can issue a credentialto a pseudonym, and the corresponding user can prove possession of thiscredential to another organization that knows him under anotherpseudonym. During the prove of possession of the credential nothingbesides the fact that he owns such a credential is revealed. In arefinement of the credential system there are credentials for unlimiteduse, so called multiple-show credentials, and credentials for one-timeuse, so called one-show credentials.

[0016] The method and system according to the present invention works asfollows. In order to establish a pseudonym system a certificateauthority accepts a user as a new participant in the pseudonym system byinitially receiving a first public key provided by said user and anexternal public key being registered for said user with an externalpublic key infrastructure. Then, the certificate authority verifies thatthe external public key is indeed registered with said external publickey infrastructure. If this is the case the certificate authorityreceives an encryption of a secret key encrypted by using said firstpublic key and proves that the secret key corresponding to said externalpublic key is encrypted in said received encryption. Then, it computes acredential by signing the first public key using a secret key owned bysaid certificate authority and, finally, the certificate authoritypublishes the first public key, the certificate, the encryption and thename of the external public key infrastructure.

[0017] In a second aspect of the present invention to establishing apseudonym system a user needs to get registered with an organization. Todo so, the organization receives a first public key provided by saiduser and a first encryption of a first secret key encrypted by usingsaid first public key. Then, it proves that an existing public key isregistered for said user with said other organization of said pseudonymsystem and that the secret key corresponding to said existing public keyis encrypted in said received first encryption. Then, the organizationcomputes a credential by signing the first public key using a secret keyowned by said organization and publishes the first public key, thecertificate, the first encryption and the name of the otherorganization.

[0018] According to a third aspect of the present invention a verifiervalidates a credential shown by a user, whereby the credential is formedby a public key which is registered with a specified organization.Initially, the verifier receives a first public key provided by the userand an existing public key being registered for said user with theaforementioned organization. Then, the verifier verifies that theexisting public key is indeed registered with said organization andreceives a first encryption of a first secret key encrypted by using thefirst public key. Finally, the verifier proves that the secret keycorresponding to the existing public key is encrypted in the receivedfirst encryption.

[0019] The present invention can be realized in hardware, software, or acombination of hardware and software. Any kind of computer system—orother apparatus adapted for carrying out the methods described herein—issuited. A typical combination of hardware and software could be ageneral purpose computer system with a computer program that, when beingloaded and executed, controls the computer system such that it carriesout the methods described herein. The present invention can also beembedded in a computer program product, which comprises all the featuresenabling the implementation of the methods described herein, andwhich—when loaded in a computer system—is able to carry out thesemethods.

[0020] Computer program means or computer program in the present contextmean any expression, in any language, code or notation, of a set ofinstructions intended to cause a system having an information processingcapability to perform a particular function either directly or aftereither or both of the following a) conversion to another language, codeor notation; b) reproduction in a different material form.

BRIEF DESCRIPTION OF THE DRAWINGS

[0021] The above, as well as additional objectives, features andadvantages of the present invention, will be apparent in the followingdetailed written description.

[0022] The novel features of the invention are set forth in the appendedclaims. The invention itself, however, as well as a preferred mode ofuse, further objectives, and advantages thereof, will best be understoodby reference to the following detailed description of an illustrativeembodiment when read in conjunction with the accompanying drawing,wherein:

[0023]FIG. 1 shows a general layout of a pseudonym system according tothe present invention.

DETAILED DESCRIPTION OF THE INVENTION

[0024] With reference to FIG. 1, there is depicted a general layout of apseudonym system according to the present invention. Within thepseudonym system there are five organizations, a certificate authorityCA, an organization being able to issue a driver's license DrLi, aninsurance company for normal cars Ins, an insurance company for sportscars Spins and a car rental organization CarRO. Furthermore, thepseudonym system includes two verifiers, a car rental agency CR and asports car rental agency SR.

[0025] An arrow from X to Y means that the user showed to entity Y acredential issued to him by entity X. The dashed line groupsorganizations that trust each other to check various credentialsproperly. In the shown example of a pseudonym system a user is enabledto obtain a driver's license through organization DL, a car insurancethrough organization Ins, a sports car insurance through Spins, andaccess to a car rental through the car rental organization CarRO. Theaccess to car rental is as follows.

[0026] The user first registers with the car rental organization CarROwhich verifies that he is a valid user (has got a CA-credential) and hasgot a car-insurance (has an Ins-credential). In the given scenario thecar rental organization does not need to worry whether or not the userhas got a driver's license since the respective insurance is responsibleand liable for that. Now, if the user wants to rent an ordinary car, hegoes to the car rental agency CR which functions as a verifier andproves that he owns a credential from the car rental organizationCarRO.After he has proven that he owns the respective credential he will get acar.

[0027] However, if the user would like to rent a sports car, he goes tothe sports car agency SR. There he shows that he owns not only acredential from the car rental organization CarRO but also from thesports car insurance Spins, i.e., that he has a special insurance forsports cars.

[0028] None of the credentials reveal any information about the user'sreal identity or pseudonym. However, the showing of credentials can becarried out in such a way that a designated revocation manager can laterfind the user's identity and/or pseudonyms. For instance, in case theuser has a non-criminal car accident, the revocation manager reveals thepseudonym the user has with the corresponding insurance company and thecost of his insurance will go up. Whereas, if he has a criminalaccident, then the revocation manager also reveals his real identity forfurther prosecution.

[0029] In the following all methods needed for the above scenario aredescribed in greater detail.

[0030] Let {0, 1}* denote the set of all binary strings.

[0031] Computational problems are often modeled as decision problems:decide whether a given x ε {0, 1}* belongs to a language L ⊂ {0, 1}*. Pis the class of languages for which this can be decided in polynomialtime. NP is the class of problems for which the decision whether xbelongs to L can be verified in polynomial time when provided acredential (or witness) of this fact. Clearly P ⊂ NP.

[0032] Let R ⊂ {0,1}*×{0,1}* be a boolean relation. We say that R is“polynomially bounded” if there exists a polynomial p(·) such that|w|≦p(|x|) holds for all (x, w) ε R. Furthermore, R is an NP-relation ifit is polynomially bounded and if there exists a polynomial-timealgorithm for deciding membership of pairs (x, w) in R. Finally,

L _(R) ={x|∃w such that (x,w) εR}

[0033] is the language defined by R.

[0034] A language L is in NP if there exists an NP-relation R_(L) ⊂ {0,1}*×{0, 1}* such that x ε L if and only if there exists a w such that(x, w) ε R_(L). Such a w is called a witness of the membership of x inL. The set of all witnesses of x is denoted as R_(L)(x).

[0035] It is known that for any NP-relation R, there exits a so-calledproof of knowledge. Such a proof is a protocol between a prover and averifier which allows the prover to convince the verifier that for somegiven value y he knows a value w such (w,y) is contained in R. Theprotocol has the additional property although the verifier knows y, shedoes not get any information about w other than that such a value existsand that the prover knows it. Realization of such protocols for anyrelation R are described in Brassard et al. (G. Brassard, D. Chaum, andC. Crépeau. Minimum disclosure proofs of knowledge. Journal of Computerand System Sciences, 37(2):156-189, October 1988, or Boyar et al. J.Boyar, I. Damgaard, and R. Peralta; Short non-interactive cryptographicproofs; Journal of Cryptology, 13(4):449-472, October 2000). We willdenote these methods as

PK{(α):(α,y)εR},

[0036] where Greek letters stand for the values the prover showsknowledge of and that the verifier does not learn whereas she learns allother parameters. Finally, (α, y) ε R is the statement that is proven,or, in other words, the conditions that the (secret) values the proverknows satisfy.

[0037] There exists also non-interactive variants of these protocols.They can be obtained from the interactive protocol using the so-calledFiat-Shamir heuristic (A. Fiat and A. Shamir; How to prove yourself:Practical solution to identification and signature problems; In A. M.Odlyzko, editor, Advances in Cryptology—CRYPTO '86, volume 263 ofLecture Notes in Computer Science, pages 186-194; Springer Verlag,1987). The resulting protocol can also be seen as a digital signature.We denote them

SPK{(α): (α, y)εR}(m),

[0038] where SPK stands for signature based on a proof of knowledge, andm is the message that gets signed.

[0039] Let Enc and Dec denote the encryption and decryption algorithm ofsome public key encryption scheme. Let P be a public key of such ascheme and S be the corresponding secret key. Then e=Enc_(P)(m) meansthat e is the encryption of some message m under public key P.Similarly, d=Dec_(S)(e) means that d is the decryption of e using thesecret key S, where d=m if e is a valid encryption of m under P. If Encis a probabilistic algorithm, then we write e=Enc_(P)(m, r), where rcontains all the random choices to be made, i.e., Enc_(P)(.,.) becomes adeterministic algorithm.

[0040] Let Sig and Ver denote signature generation and verificationalgorithm of some public key signature scheme. The algorithm Sig takesthe secret key x_(s) and a message m as input and outputs a signature σof m. On input of a message m, a signature σ, and the public key y_(s)of a signer, the the algorithm Ver outputs true or false. The followingmust be satisfied.${{Ver}\left( {m,\sigma,y_{s}} \right)} = \left\{ \begin{matrix}{true} & {{{if}\quad {{Prob}\left( {\sigma = {{Sig}\left( {m,x_{s}} \right)}} \right)}} > 0} \\{false} & {otherwise}\end{matrix} \right.$

[0041] Furthermore, a signature scheme must be unforgeable. This meansthat is must be infeasible to compute a signature of a message withrespect to a public key without knowing the corresponding secret key.

[0042] Let ∥ denote the concatenation of strings.

[0043] Now, the basic pseudonym scheme is described. It providesexternal PKI (Public Key Infrastructure) assured non-transferability.The following parties are involved:

[0044] a certification authority O₀=CA, organizations O₁, O₂, . . . ,and a user U. Let P_(CA), P_(O) ₁ , and P_(O) ₂ denote the respectivepublic keys of the first three parties of some signature schemes andS_(CA), S_(O) ₁ , and S_(O) ₂ denote the respective secret keys.

[0045] For all protocols we assume that it is aborted as soon as someverification or check fails.

[0046] Let P_(U) ^(PKI) be use U's public key she has registered with anexternal PKI and let S_(U) ^(PKI) denote the corresponding secret key.

[0047] Let ƒx: {0, 1}*→{0, 1}* denote the (one-way) function thatrelates secret and public keys a users chooses with organization X. Forinstance, P_(U) ^(PKI)=ƒ_(PKI)(S_(U) ^(PKI)) This function is part ofthe public key of X.

[0048] In the following the public key P_(U) ^(O) ^(_(j)) a user hasestablished with some organization O_(j) is considered the pseudonym ofuser U with O_(j). In practice, P_(U) ^(O) ^(_(j)) might serve as key toa database where O_(j) stores information it has collected about U.

[0049] Furthermore, in the following the term “showing of a credential”is used somewhat misleading to actually mean that the user provespossession of a credential. In particular, the user never reveals thecredential itself to the party he proves possession (or “shows”) of it.

[0050] The following first method describes how a new user enters thepseudonym system, i.e., registering with the CA.

[0051] 1. User U chooses a new (random) secret key S_(U) ^(CA), computesP_(U) ^(CA)=ƒ_(CA)(S_(U) ^(CA)), and sends P_(U) ^(CA) to CA.

[0052] 2. User U sends CA her external public key P_(U) ^(PKI).

[0053] 3. CA verifies that P_(U) ^(PKI) is indeed registered with theexternal PKI. (Depending on the actual use of the pseudonym system, theCA might have to check also thing other than his identity, whether hehas sufficient income, sufficient assurance.)

[0054] 4. U chooses a random r, computes e₁ ^(CA)=Enc_(p) _(U) _(^(CA))(S_(U) ^(PKI), r), and sends e₁ ^(CA) to CA

[0055] 5. U proves the CA that the secret key corresponding to P_(U)^(PKI) is encrypted in e₁ ^(CA) under the public key P_(U) ^(CA). Moreformally, U proves the CA the following

PK{(α, β): P _(U) ^(PKI)=ƒ_(PKI)(α) Λe ₁ ^(CA) =Enc _(P) _(U) _(^(CA))(α, β)}.

[0056] 6. The CA computes the credential on P_(U) ^(CA), i.e., computesC_(U) ^(CA)=Sig(P_(U) ^(CA), S_(CA)) and sends c_(U) ^(CA) to U.

[0057] 7. CA publishes (P_(U) ^(CA), c_(U) ^(CA), e₁ ^(CA), PKI).

[0058] The following second method shows how a user registers with anorganization O_(i) and obtains a Credential from said organisationO_(i), whereby i>1, i.e., it covers all cases except of the initialregistering with the CA as described above.

[0059] 1. U chooses a new (random) secret key S_(U) ^(O) ^(_(i)) ,computes P_(U) ^(O) ^(_(i)) =ƒ_(O) _(i) (S_(U) ^(O) ^(_(i)) ), and sendsP_(U) ^(O) ^(_(i)) to O_(i).

[0060] 2. Depending on the requirements of O_(i), U has to prove toO_(i) that U possesses credentials by various organizations (includingCA). Assume that U has to prove O_(i) the possession of a credential byO_(j). If O_(i) requires U to prove the possession of credentials fromother organizations as well, then following steps are repeated for eachof these organizations/credentials.

[0061] (a) U chooses a random r, computes e₁ ^((O) ^(_(i)) ^(, O)^(_(j)) ⁾=Enc_(P) _(U) _(^(O)) ^(_(i)) ,(S_(U) ^(O) ^(_(j)) , r), andsends e₁ ^((O) ^(_(i)) ^(, O) ^(_(j)) ^() to O) _(i).

[0062] (b) U proves to O_(i) that it established a public key withO_(j), that the corresponding secret key is encrypted in e₁ ^((O)^(_(i)) ^(, O) ^(_(j)) ⁾ under the public key P_(U) ^(O) ^(_(i)) , andthat U owns a credential by O_(j) (w.r.t. the public key U establishedwith O_(j)). More formally, U proves O_(i) the following

PK{(α,β,γ,δ):α=ƒ_(O) _(j) (β)Λe ₁ ^((O) ^(_(i)) ^(,O) ⁾ =Enc _(P) _(U)_(^(O)) ^(_(i)) (β,γ)Λ1=V er(α,δ,P _(O) _(j) )}

[0063] 3. Finally, O_(i) computes a credential on P_(U) ^(O) ^(_(i)) ,i.e., computes c_(U) ^(O) ^(_(i)) =Sig(P_(U) ^(O) ^(_(i)) , S_(O) _(i) )and sends c_(U) ^(O) ^(_(i)) to U.

[0064] 4. O_(i) publishes the triple (P_(U) ^(O) ^(_(i)) , c^(U) ^(O)^(_(i)) , e₁ ^((O) ^(_(i)) ^(, O) ^(_(j)) ⁾, O_(j)) for all O_(j) forwhich it asked for the possession of credentials of.

[0065] It should be noted that all the steps of this protocol can be infact executed at different times (as long as the order is kept). If thisis done, then U has to send O_(i) the public key P_(U) ^(O) ^(_(i))before each of the steps to let O_(i) resynchronize. Example: first step1 is executed followed by step 2; At some later time, U sends O_(i)P_(U) ^(O) ^(_(i)) again and they execute step 2 again, this time forcredentials from different organization(s); finally step 3 is executed.

[0066] The encryptions e₁ ^((O) ^(_(i)) ^(, O) ^(_(j)) ⁾ ensurenon-transferability: this is because in order to transfer a credentialto another user U′, user U needs to reveal S_(U) ^(O) ^(_(i)) . Knowingthis value, U′ can compute P_(U) ^(O) ^(_(i)) , lookup e₁ ^(O) ^(_(i))^(, O) ^(_(j)) , decrypt it, and obtain S_(U) ^(O) ^(_(j)) . Repeatingthis process, U will finally be able to decrypt e₁ ^(CA) and obtain thevaluable external secret key of U.

[0067] The triple (P_(U) ^(O) ^(_(i)) , c_(U) ^(O) ^(_(i)) , e₁ ^((O)^(_(i)) ^(, O) ^(_(j)) ⁾) can either be published by the organizationsthemselves or centrally at one place for the hole pseudonym system,e.g., the CA could maintain such a list (ordered by P_(U) ^(O) ^(_(i))).

[0068] Now, the same user shows a credential to a verifier V accordingto the following third method. In this method “multiple show” of thecredential is possible.

[0069] In order to get access to some service, U has to show possessionof a credential by the organization the verifier (service provider) V isassociated with. Assume that U has to prove V the possession of acredential by O_(j).

[0070] 1. U proves to V that it established a public key with O_(j),that U owns a credential by O_(j) on that public key, and that Uactually knows the corresponding secret key. More formally, U proves Vthe following

PK{(α,β,δ):α=ƒ_(O) _(j) (β) Λ1=V er(α,δ,P _(O) _(j) )}

[0071] In case V requires that U proves possession of credentials fromseveral organizations, then V has to be treated like an organization.That is U and V follow the second method (including the publishing ofthe encryptions), with the exception that V does not issue a credential,i.e., step 3 is not executed. Note that if this is done, U hasestablished a public key (pseudonym) with V.

[0072] It has to be acknowledged that in order to be fully anonymous,each time U wants to access the service provided by V he needs to engageagain in the above protocol or according to the second method withoutstep 3.

[0073] This following describes the additions to the methods from aboveto achieve all-or-nothing transferability.

[0074] No changes have to be applied in order to enter the pseudonymsystem, i.e., to register with the CA.

[0075] In order to register with O_(i) and to obtaining a credentialfrom O_(i), i>1, the steps 2 and 4 of the second method need to beadapted. That is, step 2a and 2b are as follows.

[0076] 2a′. U chooses a random r₁ and r₂, computes the two encryptionse₁ ^((O) ^(_(i)) ^(, O) ^(_(j)) ⁾=Enc_(P) _(U) _(^(O)) ^(_(i)) (S_(U)^(O) ^(_(j)) , r₁) and e₂ ^((O) ^(_(i)) ^(, O) ^(_(j)) ⁾=Enc_(P) _(U)_(^(O)) ^(_(i)) (S_(U) ^(O) ^(_(i)) , r₂), and sends e₁ ^((O) ^(_(i))^(, O) ^(_(j)) ⁾ and e₂ ^((O) ^(_(i)) ^(, O) ^(_(j)) ⁾ to O_(i).

[0077] 2b′. U proves to O_(i) that it established a public key withO_(j), that the corresponding secret key is encrypted in e₁ ^((O)^(_(i)) ^(, O) ^(_(j)) ⁾ under the public key P_(U) ^(O) ^(_(i)) , andthat U owns a credential by O_(j) (w.r.t. the public key U establishedwith O_(j)). Furthermore, U also proves that e₂ ^((O) ^(_(i)) ^(, O)^(_(j)) ⁾ is an encryption of the secret key corresponding to P_(U) ^(O)^(_(i)) under the public key U has established with O_(j). Moreformally, U proves O_(i) the following

PK{(α,β,γ,δ,ε,ν):α=ƒ_(O) _(j) (β)Λe ₁ ^(O) s i ^(,O) s j ⁾ =Enc_(PUsi O) s i(β,γ)Λ1=V er(α,δ,P _(O) _(j) )ΛP _(U) ^(_(i)) =ƒ_(O) _(j)(ε) Λe ₂ ^((O) ^(_(i)) ^(, O) ^(_(j)) ⁾ =Enc _(α)(ε, ν)}

[0078] Furthermore, step 4 becomes

[0079] 4′. O_(i) publishes the list (P_(U) ^(O) ^(_(i)) , c_(U) ^(O)^(_(i)) , e₁ ^((O) ^(_(i)) ^(, O) ^(_(j)) ⁾, e₂ ^(( O) ^(_(i)) ^(, O)^(_(j)) ⁾, O_(j)) for all O_(j) for which it asked for the possession ofcredentials of.

[0080] The remark about publishing the encryption provided to O_(i) by Umade above applies here as well.

[0081] The encryptions e₁ ^((O) ^(_(i)) ^(, O) ^(_(j)) ⁾, e₂ ^((O)^(_(i)) ^(, O) ^(_(j)) ⁾ ensure non-transferability: recall that totransfer a credential to another user U′, user U needs to reveal S_(U)^(O) ^(_(i)) . Knowing this value, U′ can compute P_(U) ^(O) ^(_(i))lookup e₁ ^(O) ^(_(i)) ^(, O) ^(_(j)) , decrypt it, and obtain S^(U)_(O) ^(_(j)) . Repeating this process, U will finally be able get S_(U)^(CA), decrypt e₁ ^(CA) and obtain the valuable external secret key ofU. Now, as U′ known S_(U) ^(CA), he can also decrypt all e₂ ^((O)^(_(i)) ^(, CA)) and get the secret keys U chose with any organization Uhad to prove possession of a credential by CA. Now, if U′ knows thesecret key U chose with organization O_(j) and U needed to prove O_(i),possession of a credential by O_(j), user U′ can get e₂ ^((O) ^(_(i))^(, O) ^(_(j)) ⁾, decrypt it, and learn the secret key U chose withO_(i). Repeating these process, U′ will eventually get to know allsecret keys user U chose and use all the credentials of user U. Thus, ifa user transfers one credential to another user, he effectivelytransfers all of them.

[0082] No changes have to be applied to the third method in order toshow a credential to a Verifier V under “multiple show”.

[0083] In another refinement the above methods provide all-or-nothingnon-transferability.

[0084] To enter the pseudonym system and to register with the CA, thesteps 4, 5, and 7 can be omitted.

[0085] In order to register with O_(i) and to obtain a credential fromO_(i), i>1, the same modification to the first method as previouslyexplained have to be made.

[0086] The same method as before can be used to show a credential to averifier V under “multiple show”.

[0087] In another refinement the above methods provide revokability.Local anonymity revocation means that whenever U proved possession of acredential by O_(j) to a party X, it is possible to some third party(revocation manager) to retrieve the pseudonym/public key U hasestablished with O_(j) from the information X obtained from U.

[0088] In the following m_(R) be the text stating under which conditionsthe anonymity shall be revoked. This text can be unique to each showingof a credential. Is it understood that whenever the revocation manageris asked for revocation he will not reveal the pseudonym if theconditions stated in m_(R) are not met. For instance, if m_(R) statesthat revocation requires that the person that proved the possession of acredential needs to be involved in some crime, then the revocationmanager will not revoke the anonymity until the requesting party canconvince the revocation manager that the user at hand was indeedinvolved in some crime (c.f. the car accident example). In order to addlocal revokability, one has to apply the following changes to therespective methods. Of course, local revokability can also be addedafter other features were added.

[0089] To allow local revokability, each organization has to nominate arevocation manager who generates a public and secret key of anon-malleable encryption scheme, i.e., the revocation manager R_(i)responsible for organization O_(i) generates S_(R) _(i) and P_(R) _(i)and publishes P_(R) _(i) .

[0090] Entering the pseudonym system and registering with the CA workswithout further changes to the respective protocol.

[0091] For registering with O_(i) and obtaining a credential from O_(i),i>1, the step 2 has to be adapted. That is, steps 2a and 2b are asfollows. Note that it can be decided separately for each execution ofstep 2 whether local revokability is required or not, i.e., whether thestep is executed with the additions below, or not.

[0092] 2a″. U chooses a random r₁ and r₃, computes the two encryptionse₁ ^((O) ^(_(i)) ^(, O) ^(_(j)) ⁾=Enc_(P) _(U) _(^(O)) ^(_(i)) (S_(U)^(O) ^(_(j)) , r₁), and υ^((O) ^(_(i)) ^(, R) ^(_(j)) ⁾=Enc_(P) _(R)^(_(j)) (P_(U) ^(O) ^(_(j)) ∥m_(R), r₃) and sends e₁ ^((O) ^(_(i))^(, O) ^(_(j)) ⁾ and υ^((O) ^(_(i)) ^(, R) ^(_(j)) ⁾ to O_(i).

[0093] 2b″. U proves to O_(i) that it established a public key withO_(j), that the corresponding secret key is encrypted in e₁ ^((O)^(_(i)) ^(O) ^(_(j)) ⁾ under the public key P_(U) ^(O) ^(_(i)) , andthat U owns a credential by O_(j) (w.r.t. the public key U establishedwith O_(j)). Furthermore, U also proves that υ^((O) ^(_(i)) ^(,O)^(_(j)) ⁾ is an encryption of the public key U has established withO_(j) under the O_(j)'s revocation manager's public key P_(R) _(j) ,More formally, U proves O_(i) the following

PK{(α,β,γ,δ,ε,ν): α=ƒ_(O) _(j) (β) Λe ₁ ^((O) ^(_(i)) ^(O) ^(_(j)) ⁾=Enc _(P) _(^(o)) ^(_(i)) (β,γ) Λ1=V er(α, δ, P _(O) _(j) ) Λυ^((O)^(_(i)) ^(,R) ^(_(j)) ⁾ =Enc _(P) _(R) ^(_(j)) (α∥m _(R)υ)}

[0094] Note that here we assumed that U and O_(i) both trust therevocation manager R_(j). However, it would also be possible that theyagree upon a different revocation manager.

[0095] Showing a credential to a verifier V under “Multiple show” worksas follows:

[0096] 0″. U chooses a random r₃, computes the encryption υ^((V,R)^(_(i)) ⁾=Enc_(P) _(R) ^(_(i)) (P_(U) ^(O) ^(_(i)) ∥m_(R), r₃) and sendsυ^((V,R) ^(_(i)) ⁾ to V.

[0097]1″. U proves to V that it established a public key with O_(j),that U owns a credential by O_(j) on that public key, and that Uactually known the corresponding secret key.

[0098] Furthermore, U also proves V that υ^((V,R) ^(_(i)) ⁾ Moreformally, U proves V the following

PK{(α, β,δ,γ):α=ƒ_(O) _(j) (β)Λ1=V er(α,δ,P _(O) _(j) )Λυ^((O) ^(_(i))^(,R) ^(_(j)) ⁾ =Enc _(P) _(R) ^(_(i)) (α∥m _(R),γ)}

[0099] With respect to showing credential of several organizations thesame remark applies as aforementioned.

[0100] Global revokability is very similar to local revokability. Globalrevokability means basically showing possession of a CA-credential with(local) revokability as described in the previous section because whenthe pseudonym under which a users is known to the CA is revealed, the CAcan determine the user's real identity.

[0101] In case proving possession of a credential to a verifier V needsglobal revokability, a user U, need to show V not only the credential ofthe associated organization but also the one of the CA. Thus, U and Vneed to execute the second method (with the extensions of the previoussection) up to where credential are granted. As mentioned earlier,instead of publishing the encryptions obtained from U during theprotocol's execution, V could send them to its associated organizationfor publication.

[0102] Note: In practice, when requiring global revokability for provingpossession of a credential to a verifier V, one would probably also wantlocal revokability. If this is the case, it would be easier to just havelocal revokability for proving possession of a credential to a verifierV and then ask for global revokability when the U registers with theorganization associated with V.

[0103] The methods as described above can be used as “multi-show”credentials. However, the methods can be refined in a way to function as“one-show” credentials. A one-show credential is credential such thatwhen a users shows it more than once then these different showings canbe linked. (Note that although these showing can be linked, thepseudonym associated with the credential is not revealed. Henceanonymity is maintained.)

[0104] One-show credentials can be implemented in a similar manner asmulti-show credential, but by having some extra information revealedabout the credential such that using the credential more than once canbe detected. One method to implement them is that each organization Xpublishes a suitable one-way function {circumflex over (ƒ)}x(·). Thisfunction must have the property that, given {circumflex over (ƒ)}x(s)given ƒx(s′) it is hard to decide whether s=s′.

[0105] Issuing a one-show credential is not different from issuingordinary credentials. Therefore, the protocol for entering the pseudonymsystem and registering with the CA remains unchanged. However, the CAneeds of course to publish a function {circumflex over (ƒ)}_(CA) as partof its public key and state that all credentials issued w.r.t. thispublic key are one-show credentials.

[0106] The step 2 of the second method has to be adapted to registerwith O_(i) and to obtaining a credential from O_(i), i>1. That is, steps2a and 2b are as follows. Note that it can be decided separately foreach execution of step 2 whether local revokability is required or not,i.e., whether the step is executed with the additions below, or not.

[0107] 2a′″. U chooses a random r, computes e₁ ^((O) ^(_(i)) ^(,O)^(_(j)) ⁾=Enc_(P) _(U) _(^(O)) ^(_(i)) (S_(U) ^(O) ^(_(j)) ,r) and{circumflex over (P)}_(U) ^(O) ^(_(j)) ={circumflex over (ƒ)}_(O) _(j)(S_(U) ^(O) ^(_(j)) ), and sends e₁ ^(O) ^(_(j)) and {circumflex over(P)}_(U) ^(O) ^(₃) to O_(i).

[0108] 2b′″. U proves to O_(i) that it established a public key withO_(j), that the corresponding secret key is encrypted in e₁ ^((O)^(_(i)) ^(,O) ^(_(j)) ⁾ under the public key P_(U) ^(O) ^(_(i)) , andthat U owns a credential by O_(j) (w.r.t. the public key U establishedwith O_(j)). Furthermore, U also proves that the preimage of {circumflexover (P)}_(U) ^(O) ^(_(j)) under under {circumflex over (ƒ)}_(O) _(j) isthe secret key of the public key U has established with O_(j). Moreformally, U proves O_(i) the following

PK{(α,β,γ,δ,ε,ν): α=ƒ_(O) _(j) (β)Λe ₁ ^((O) ^(_(i)) ^(,O) _(j) ⁾ =Enc_(P) _(U) _(^(O)) ^(_(i)) (β,γ)Λ1=V er(α,δ,P _(O) _(j) )Λ{circumflexover (P)} _(U) ^(O) ^(_(j)) ={circumflex over (ƒ)}_(O) _(j) (β)}

[0109] The organization O_(i) can now tell whether some user showed acredential twice by checking whether it has seen {circumflex over(P)}_(U) ^(O) ^(_(j)) before. This might for instance be the case is auser wants to register twice with the same organizations.

[0110] The third method for proving possession to a verifier needs to beadapted as follows for one-show credentials.

[0111] 0′″. (new) U computes {circumflex over (P)}_(U) ^(O) ^(_(j))={circumflex over (ƒ)}_(O) _(j) (S_(U) ^(O) ^(_(j)) ) and sends{circumflex over (P)}_(U) ^(O) ^(_(j)) to V.

[0112] 1′″. U proves to V that it established a public key with O_(j),that U owns a credential by O_(j) on that public key, and that Uactually known the corresponding secret key. Furthermore, U also provesthat the pre-image of {circumflex over (P)}_(U) ^(O) ^(_(j)) under{circumflex over (ƒ)}_(O) _(j) is the secret key of the public key U hasestablished with O_(j). More formally, U proves V the following

PK{(α,β,δ,γ):α=ƒ_(O) _(j) (β)Λ1=Ver(β,δ,P _(O) _(j) )Λ{circumflex over(P)} _(U) ^(O) ^(_(j)) ={circumflex over (ƒ)}_(O) _(j) (β)}

[0113] The verifier V can now tell whether some user showed a credentialtwice by checking whether it has seen {circumflex over (P)}_(U) ^(O)^(_(j)) before.

[0114] If a user wants or needs to obtain a second one-show credentialfrom some organization, the two parties need of course to run the wholeissuing protocol again, e.g., the user needs to chose a different P_(U)^(O) ^(_(j)) .

[0115] We can of course combine one-show credentials with the local andglobal revocation mechanism described above.

[0116] In principle a one-show certificate can also be used as amulti-show credential as they are basically the same credential, onlythat some additional information is revealed if it should be one-show.It is up to the system, whether credentials issued by organization X areone-show only as soon some as the function {circle over (ƒ)}_(X) is partof its public key. In practice, some policy stating when a credential isone-show and when multi-show would probably be part of theorganizations' public keys.

[0117] A further refinement allows to have a build-in revocation. Thiskind of credentials are an extension of the one-show credentialsdescribed above in that provide build-in (local) revocation: if a usersproves possession of the the same credential more than once (or, ingeneral, k times), then his pseudonym with the issuing organization getsrevealed directly, i.e., without the help of any revocation manager.However, if the users proves possession of the same credential only once(or less than k times), then the user remains anonymous. Note that thisis different from the case where we have one-time credentials with localrevocation. (In case the user is allowed prove possession of acredential up to k, these different showings are linkeable.)

[0118] In the following we describe the system such that showing acredential more than once reveals the user's identity. Similarly asdescribed above, each organization X publishes two suitable one-wayfunctions {circumflex over (ƒ)}_(X)(·):{0, 1}*→{0, 1}* and {tilde over(ƒ)}_(X):{0,1}* ×{0, 1}*→{0, 1}*. Furthermore, we require the function{tilde over (ƒ)}_(X) to be homomorphic, i.e., that there are operations★ and ⊕ such that {circumflex over (ƒ)}_(X)(a)★{circumflex over(ƒ)}_(X)(b)={circumflex over (ƒ)}_(X)(a⊕b) holds for all a and b. Thisalso defines “multiplication” with a scalar c:{circumflex over(ƒ)}_(X)(c·a)={circumflex over (ƒ)}_(X)(a)^(c). Furthermore, {circumflexover (ƒ)}_(X) must have the property that, given {circumflex over(ƒ)}_(X)(s₁), {circumflex over (ƒ)}_(X)(s₂), {circumflex over(ƒ)}_(X)(s₃), ƒ_(X)(s′₁), and {tilde over (ƒ)}_(X)(s′₂,s′₃) it is hardto decide whether any of the relations s₁=s′_(1, s) ₂=s′₂, ands₃=s′₃hold. (All these functions can be realized under the discretelogarithm or the RSA assumption.)

[0119] In the following the changes are described in case that the CAissues one-show credentials. Steps 1 and 6 of the first protocol needsto be modified as follows.

[0120] 1″″. U chooses new (random) secret keys S_(U) ^(CA), {tilde over(S)}′_(U) ^(CA), {tilde over (S)}″_(U) ^(CA), computes the two publickeys P_(U) ^(CA)=ƒ_(CA)(S_(U) ^(CA)) and {tilde over (P)}_(U)^(CA)={tilde over (ƒ)}_(CA)({tilde over (S)}′_(U) ^(CA), {tilde over(S″)}_(U) ^(CA)), and sends P_(U) ^(CA) and {tilde over (P)}_(U) ^(CA)to CA.

[0121] 6″″. The CA computes the credential on P_(U) ^(CA), {tilde over(P)}_(U) ^(CA), i.e., computes c_(U) ^(CA)=Sig(P_(U) ^(CA)∥{tilde over(P)}_(U) ^(CA), P_(CA)) and sends c_(U) ^(CA) to U.

[0122] In the following, it is assumed (P_(U) ^(CA), {tilde over(P)}_(U) ^(CA)) as being one public key, i.e., the one that user U hasestablished with organization X.

[0123] Now, it is described how a one-show credential with build-inrevocation is issued by organization O_(i) and we assume that O_(i)wants to see a one-show credential with build-in revocation issued byO_(j). From this description is should be clear how to issue such acredential when requiring to see an ordinary credential (or a one-showcredential without built-in revocation) as well as how to issue ordinarycredentials (or a one-show credential without built-in revocation) whenrequiring to see a credential with build-in revocation. Almost all stepsof the second method are adapted.

[0124] 1″″. U chooses a new (random) secret keys S_(U) ^(O) ^(_(i)) ,{tilde over (S)}′_(U) ^(O) ^(_(i)) , {tilde over (S″)}_(U) ^(O) ^(_(i)), computes the two public keys P_(U) ^(O) ^(_(i)) =ƒ_(O) _(i) (S_(U)^(O) ^(_(i)) ) and {tilde over (P)}_(U) ^(O) ^(_(i)) ={tilde over(ƒ)}_(O) _(i) ({tilde over (S)}′_(U) ^(O) ^(_(i)) ,{tilde over (S″)}_(U)^(O) ^(_(i)) ), and sends P_(U) ^(O) ^(_(i)) and {tilde over (P)}_(U)^(O) ^(_(i)) to O_(i).

[0125] 2″″. Depending on the requirements of O_(i), user U has to proveto O_(i) that U possesses credentials by various organizations(including CA). Assume that U has to prove O_(i) the possession of aone-show credential with built-in revocation by O_(j). If O_(i) requiresU to prove the possession of credential from other organizations aswell, the following steps are repeated for each of theseorganizations/credentials.

[0126] (a) U chooses a random r, computes e₁ ^((O) ^(_(i)) ^(,O) ^(_(j))⁾=Enc_(P) _(U) _(^(O)) ₂ (S_(U) ^(O) ^(_(j)) ∥{tilde over (S)}′_(U) ^(O)^(_(j)) ∥{tilde over (S″)}_(U) ^(O) ^(_(i)) , r), {circumflex over(P′)}_(U) ^(O) ^(_(j)) ={circumflex over (ƒ)}_(O) _(j) ({tilde over(S)}′_(U) ^(O) ^(_(j)) ), and {circumflex over (P″)}_(U) ^(O) ^(_(j))={circumflex over (ƒ)}_(O) _(j) ({tilde over (S″)}_(U) ^(O) ^(_(j)) ),and sends e₁ ^(O) ^(_(j)) , {circumflex over (P′)}_(U) ^(O) ^(_(j)) ,and {circumflex over (P″)}_(U) ^(O) ^(_(j)) to O_(i).

[0127] (b) U proves to O_(i) that it established a public key withO_(j), that the corresponding secret keys are encrypted in e₁ ^((O)^(_(i)) ^(,O) ^(_(j)) ⁾ under the public key P_(U) ^(O) ^(_(i)) , thatthe secret key of the second part of the public key established withO_(j) are the pre-images of {circumflex over (P′)}_(U) ^(O) ^(_(j)) and{circumflex over (P″)}_(U) ^(O) ^(_(j)) under {circumflex over (ƒ)}_(O)_(j) , and that U owns a credential by O_(j) (w.r.t. the public keys Uestablished with O_(j)). More formally, U proves O_(i) the following

PK{(α,β,γ,δ,ε,ξ,Φ):α=ƒ_(O) _(j) (β)Λγ={tilde over (ƒ)}_(O) _(j) (δ,ε)Λe₁ ^((O) ^(_(i)) ^(,O) ^(_(j)) ⁾ =Enc _(P) _(U) _(^(O))(β∥δ∥ε,ξ)Λ1=Ver(α∥γ,Φ,P _(O) _(j) )Λ{circumflex over (P′)} _(U) ^(O)^(_(j)) ={circumflex over (ƒ)}_(O) _(j) (δ)Λ{circumflex over (P″)} _(U)^(O) ^(_(j)) ={circumflex over (ƒ)}_(O) _(j) (ε)}

[0128] (c) (new step) O_(i) chooses a random w ε{0,1}^(l), u′≠0, where lis a suitably defined security parameter, and sends w to U.

[0129] (d) (new step) U checks whether w≠0 and answers with z={tildeover (S)}′_(U) ^(O) ^(_(j)) ⊕(w.{tilde over (S)}′_(U) ^(O) ^(_(j)) )

[0130] (e) (new step) O_(i) checks whether {circumflex over (ƒ)}_(O)_(j) (z)={circumflex over (P′)}_(U) ^(O) ^(_(j)) ★({circumflex over(P′)}_(U) ^(O) ^(_(j)) )^(w)

[0131] 3″″. Finally, O_(i) computes a credential on P_(U) ^(O) ^(_(i)) ,i.e., computes c_(U) ^(O) ^(_(i)) =Sig(P_(U) ^(O) ^(_(i)) ∥{tilde over(P)}_(U) ^(O) ^(_(i)) , S_(O) _(i) ) and sends c_(U) ^(O) ^(_(i)) to U.

[0132] 4″″. O_(i) publishes the list (P_(U) ^(O) ^(_(i)) , c_(U) ^(O)^(_(i)) , e₁ ^((O) ^(_(i)) ^(,O) ^(_(j)) ⁾, O_(j)) for all O_(j) forwhich it asked for the possession of credentials of.

[0133] When a users show the same credential more than once, O_(i) willwith high probability have chosen different w's and hence U will havereplied with different z's. Given two different pairs of w and z, onegets two linear equations with the user's secrets {tilde over (S)}′_(U)^(O) ^(_(i)) and {tilde over (S″)}_(U) ^(O) ^(_(i)) as unknowns. Thesesecrets can be retrieved by solving the equations and thus {tilde over(P)}_(U) ^(O) ^(_(i)) computed which will identify the user.

[0134] The third protocol for proving possession to a verifier needs tobe adapted as follows for one-show credentials with built-in revocation.

[0135] 0″″. (new) U computes {circumflex over (P)}′_(U) ^(O) ^(_(j))={circumflex over (ƒ)}_(O) _(j) ({tilde over (S)}′_(U) ^(O) ^(_(j)) ){circumflex over (P)}″_(U) ^(O) ^(_(j)) ={circumflex over (ƒ)}_(O) _(j)({tilde over (S)}″_(U) ^(O) ^(_(j)) ) and sends {circumflex over(P)}′_(U) ^(O) ^(_(j)) and {circumflex over (P)}″_(U) ^(O) ^(_(j)) to V.

[0136] 1″″. U proves to V that it established a public key with O_(j),that U owns a credential by O_(j) on that public key, and that Uactually known the corresponding secret keys. Furthermore, U proves to Vthat the secret key of the second part of the public key establishedwith O_(i) are the pre-images of {circumflex over (P′)}_(U) ^(O) ^(_(j))and {circumflex over (P″)}_(U) ^(O) ^(_(j)) under {circumflex over(ƒ)}_(O) _(j) . More formally, U proves V the following

PK}(α,β,γ,δ,ε,ξ,Φ):α=ƒ_(O) _(j) (β)Λγ={tilde over (ƒ)}_(O) _(j)(δ,ε)Λ1=Ver(α∥γ,Φ, P _(O) _(j) )Λ{circumflex over (P′)} _(U) ^(O)^(_(j)) ={circumflex over (ƒ)}_(O) _(j) (δ)Λ{circumflex over (P″)} _(U)^(O) ^(_(j)) ={circumflex over (ƒ)}_(O) _(j) (ε)Λ}

[0137] The verifier V can now tell whether some user showed a credentialtwice by checking whether it has seen {circumflex over (P)}_(U) ^(O)^(_(j)) before and if this was the case compute the user's pseudonym.

[0138] Allowing a user to prove possession of a pseudonym up to k timescan be done by letting the user choose k+1 additional secret keys (now2) and then provide the image of all these key under {circumflex over(ƒ)}_(X) and prove the according statement in step 2b′″. The next stepsof 2′″ would need to be adapted.

[0139] As described in this section proving possession of the samecredential more than the allowed number of times reveals only some ofthe user's secret key of the respective pseudonym. However, the systemcould be modified such that all the user's secret key of the respectivepseudonym get revealed. Depending on the mechanism chosen for thenon-transferability, this would mean that also the user's externalsecret key or all the secret keys he choose within the system. Thiswould presents quite a strong initiative for the user not to show acredential more than the allowed number of times.

[0140] It is acknowledged that the feature in described above can easilybe combined with other features.

[0141] Now, it is explained how one-show credentials could be used andprovide the changes to the methods as described above such that oursystem can by applied for these usages of one-show credentials.

[0142] One-show credentials can be used for several reasons.

[0143] First, it can be used for tracking the the usage of somecredential, e.g., to detect when the same credential is used with anyverifier or to detect when the same credential is used with the sameverifier, i.e., uses of the same credential with different verifierscannot be linked. Second, it can be used for allowing the user to use acredential only once. This can be realized with the methods having theone-show credential ability added to it. In order to track the usage ofa user's credential, all data collected when some user proves possessionof a credential by an organization, say O_(j), needs to be send to somecentral place, e.g., organization O_(j).

[0144] This can be realized with the methods having the one-showcredential ability added with slight modifications applied. Now,showings of the same credential to different entities must no longer belinkeable. This can be achieved by using a different one-way function{circumflex over (ƒ)}_(X) for each entity possession of the credentialis proved to rather than that it is specific for the issuer of thecredential. To assure that showings to different entity are indeed notlinkeable, the functions {circumflex over (ƒ)}_(X) must satisfy thefollowing. Let {circumflex over (ƒ)}_(X) ₁ , . . . , {circumflex over(ƒ)}_(X) _(n) be such functions chosen be the entities X₁ through X_(n)and let O_(j) be the issuer of the credential. Then, given {circumflexover (ƒ)}_(X) ₁ (s₁), . . . , {circumflex over (ƒ)}_(n)(s_(n)), andƒ_(O) _(j) (s′) it must be hard to decide whether s′=s_(i) for any i in1, . . . , n and whether s_(i)=s_(k) for any i and k≠i in 1, . . . , n.

[0145] In case a user is not allowed to show a credential more than once(or, in general k times), e.g., if the credential represent electronicmoney, there are two ways to prevent a user from doing so. Both wayshave in common that a user stays fully anonymous if he shows acredential only once (or less than k times). Both these ways are alsoknown “double-spending” prevention mechanisms in digital money schemes(e.g., S. Brands; An efficient off-line electronic cash system based onthe representation problem; Technical Report CS-R9323, CWI, April 1993and D. Chaum, A. Fiat, and M. Naor; Untraceable electronic cash; In S.Goldwasser, editor, Advances in Cryptology—CRYPTO '88, volume 403 ofLecture Notes in Computer Science, pages 319-327; Springer Verlag,1990).

[0146] In an on-line use, some entity keeps track of whether acredential was used already or not. This entity could either be theorganization that issued the credential or some independent centralparty (possibly a different one for each organization issuingcredentials). For this, the method as described above for one-showcredentials can be used, with the following modification to the methods2 and 3: after the organization O_(i), resp. the verifier V, haveobtained {circumflex over (P)}_(U) ^(O) ^(_(j)) , they send it to theentity keeping track of whether a credentials has been used. If thisentity finds {circumflex over (P)}_(U) ^(O) ^(_(j)) already in itsdatabase, it tells O_(i), resp. V, that the credential was already usedand is thus invalid (or, in general used more than the allowed number oftimes); otherwise it adds {circumflex over (P)}_(U) ^(O) ^(_(j)) to itsdatabase (and/or increases the related counter) and tells O_(i), resp.V. Hence, O_(i), resp. the verifier V will only accept the showing of acredential if the track-keeping entity says that the credential is stillvalid. Thus usage of a credential more than the allowed number of timesis prevented. Note that the users' anonymity is still guaranteed.

[0147] In an off-line use, the usage of a credential more that theallowed number of times is not prevented but only detected. Todisencourage users from over-using a credential, over-usage getspunished. For this the identity/pseudonym of a culprit must be known.However, the system should nevertheless protect innocent users. This canbe achieved by using one-show credentials with build-in revocation asdescribed in above. To detect the over-usage of a credential in cases itgets used with different verifiers/organizations, there needs to be anentity that collects all the transcripts of all showing thesecredentials similar as above, with the difference that now this entityneeds not to be on-line during the showing credentials: it suffices ifthe verifiers/organizations sent the transcripts to this entity, e.g.,once a day. Upon receiving this transcripts, this entity can checkwhether a credential was used more than the allowed number of times, andif this is the case, retrieve the culprits identity/pseudonym asdescribed in above, and take according punishment measures.

[0148] In another refinement of the methods according to the presentinvention, the methods provide the ability to have a designatedverifier. This is realized with a special kind of credentials having theproperty that a user can show these credentials only to a particularverifier. Moreover, the user cannot convince anyone else that thecredential is valid.

[0149] For this to work, we need two things. First, each issuingorganization published a homomorphic function {haeck over (ƒ)}_(X)(•,•).Second, the designated verifier (a ordinary verifier V or anorganization O_(i)) must have made available a public key of anhomomorphic public key encryption scheme (e.g., P. Paillier, Public-keycryptosystems based on composite residuosity classes; in J. Stern,editor, Advances in Cryptology—EUROCRYPT '99, volume 1592 of LectureNotes in Computer Science, pages 223-239; Springer Verlag, 1999).

[0150] Let E_(V) _(i) and D_(V) _(i) (resp, E_(O) _(i) and D_(O) _(i) )denote the public and secret keys of the verifier (resp., organization)of such an encryption scheme. Thus due to the homomorphic property wewill have that, e.g., c=Dec_(D) _(V) (Enc_(E) _(V) ^(_(i))(a,r₁)★Enc_(E) _(V) (b,r₂))=a⊕b. Furthermore, we require that thehomomorphic property of this encryption scheme is “compatible” with thehomomorphic property of function {haeck over (ƒ)}_(X)( ). That is, forthe above example, we require that {haeck over (ƒ)}_(X)(c)={haeck over(ƒ)}_(X)(a)★{haeck over (ƒ)}_(X)(b).

[0151] Let V_(k) be the designated verifier (which could be an ordinaryverifier or an organization). In order to enter the pseudonym system,Step 1 of the first method needs to be divided into several steps:

[0152] 1′″″(a) U chooses new (random) secret keys S_(U) ^(CA) and {haeckover (S)}_(U) ^(CA), computes {haeck over (P)}={haeck over(ƒ)}_(CA)(S_(U) ^(CA),{haeck over (S)}_(U) ^(CA)) and P_(U)^(CA)=ƒ_(CA)(S_(U) ^(CA)), and sends {haeck over (P)} and P_(U) ^(CA) toCA, and proves CA the following

PK{(α,β):P _(U) ^(CA)=ƒ_(CA)(α)Λ{haeck over (P)}={haeck over (ƒ)}_(CA)(α,β)}

[0153] (b) CA chooses a random {haeck over (S)} and an r, computes{haeck over (P)}_(U) ^(CA)={haeck over (P)}★{haeck over (ƒ)}_(CA)(0,{haeck over (S)}) and {haeck over (z)}_(U) ^((CA,V) ^(_(k))^(x))=Enc_(E) _(V) ^(_(k)) ({haeck over (S)},r), sends P_(U) ^(CA) and{haeck over (z)}^((CA,V) ^(_(k)) ⁾ to U, and proves U the following

PK≡(α,β):{haeck over (P)} _(U) ^(CA) ={haeck over (P)}★{haeck over (ƒ)}_(CA)(0,α)Λ{haeck over (z)} _(U) ^((CA,V) ^(_(k)) ⁾ =Enc _(E) _(V)^(_(k=l (α,β)}.))

[0154] At the end of the protocol, we have P_(U) ^(CA)={haeck over(ƒ)}_(CA)(S_(U) ^(CA),{haeck over (S)}_(U) ^(CA)⊕S), where S isencrypted in {haeck over (z)}_(U) ^((CA,V) ^(_(k)) ⁾=under theencryption public key of the verifier V_(k). Thus U does not know thepre-image of {haeck over (P)}_(U) ^(CA) under {haeck over (ƒ)}_(CA).

[0155] This section describes how a designated verifier credential isissued by organization O_(i). We assume that O_(i) requires thepossession of a a designated verifier credential issued by O_(j), whereO_(i) is the designated verifier. From this description is should beclear how to issue such credential when requiring another type ofcredential as well as how to issue other types of credentials whenrequiring a designated verifier credential.

[0156] Almost all steps of the second method have to be adapted.

[0157] 1′″″.

[0158] (a) U chooses new (random) secret keys S_(U) ^(O) ^(_(i)) and{haeck over (S)}_(U) ^(O) ^(_(i)) , computes {haeck over (P)}={haeckover (ƒ)}_(O) _(i) (S_(U) ^(O) ^(_(i)) ,{haeck over (S)}_(U) ^(O)^(_(i)) ) and P_(U) ^(O) ^(_(i)) =ƒ_(O) _(i) (S_(U) ^(O) ^(_(i)) ),sends {haeck over (P)} and P_(U) ^(O) ^(_(i)) to O_(i), and proves O_(i)the following

PK{(α,β):P _(U) ^(O) ^(_(i)) =ƒ_(O) _(i) (α)Λ{haeck over (P)}=ƒ _(O)_(i) (α,β)}

[0159] (b) O_(i) chooses a random {haeck over (S)} and an r, computes{haeck over (P)}_(U) ^(O) ^(_(i)) =*{haeck over (P)}★{haeck over(ƒ)}_(O) _(i) (0,{haeck over (S)}) and {haeck over (z)}_(U) ^((O)^(_(i)) ^(,V) ^(_(k)) ⁾=Enc_(E) _(V) ^(_(k)) ({haeck over (S)}, r),sends P_(U) ^(O) ^(_(i)) and {haeck over (z)}_(U) ^((O) ^(_(i)) ^(,V)^(_(k)) ⁾ to U, and proves U the following

PK{(α,β):{haeck over (P)} _(U) ^(O) ^(_(i)) ={haeck over (P)}★{haeckover (ƒ)} _(O) _(i) (0,α)Λ{haeck over (z)} _(U) ^((O) ^(_(i)) ^(,V)^(_(k)) ⁾ =Enc _(E) _(V) ^(_(k)) (α,β)}.

[0160] 2′″″. Depending on the requirements of O_(i), user U has to proveto O_(i) that U possesses credentials by various organizations(including CA). Assume that U has to prove O_(i) the possession of adesignated verifier credential by O_(j). If O_(i) requires U to provethe possession of credential from other organizations as well, thefollowing steps are repeated for each of theseorganizations/credentials. (a) U chooses random S′, r₁, r₂, and computesz={haeck over (z)}_(U) ^((O) ^(_(j)) ^(,O) ^(_(i)) ⁾★Enc_(E) _(O)

(S′, r ₁S={haeck over (S)}_(U) ^(O) ^(_(j)) ⊖S′, where ⊖ is defined asthe inverse operation of ⊕. U also chooses a random r, computes e₁ ^((O)^(_(i)) ^(,O) ^(_(j)) ⁾=Enc_(P) _(U) _(^(O)) ^(_(i)) (S_(U) ^(O) ^(_(j)), r₂), and sends z and e₁ ^(O) ^(_(j)) to O_(i).

[0161] (b) U proves to O_(i) that it established a public key withO_(j), that the corresponding secret keys are encrypted in e₁ ^((O)^(_(i)) ^(,O) ^(_(j)) ⁾ under the public key P_(U) ^(O) ^(_(i)) , andthat U owns a credential by O_(j) (w.r.t. the public keys U establishedwith O_(j)). More formally, U proves O_(i) the following

{tilde over (PK)}{(α,β,γ,δ,ε):α={haeck over (ƒ)}_(O) _(j) (β,γ)Λe ₁^((O) ^(_(i)) ^(,O) ^(_(j)) ⁾ =Enc _(P) _(U) _(^(O)) ^(_(i))(β,δ)Λ1=Ver(α,ε,P _(O) _(j) ) }

[0162]  The above method is {tilde over (PK)} is not an ordinary proofof knowledge as all the other proofs considered so far because U doesnot know γ (see explanation below).

[0163] 3′″″. Finally, O_(i) computes a credential on {haeck over(P)}_(U) ^(O) ^(_(i)) , i.e., computes c_(U) ^(O) ^(_(i)) =Sig({haeckover (P)}_(U) ^(O) ^(_(i)) , S_(O) _(i) ) and sends c_(U) ^(O) ^(_(i))to U.

[0164] 4′″″. O_(i) publishes the list (P_(U) ^(O) ^(_(j)) , c_(U) ^(O)^(_(i)) , e₁ ^((O) ^(_(i)) ^(,O) ^(_(j)) ⁾, O_(j)) for all O_(j) forwhich it asked for the possession of credentials of.

[0165] As already mentioned, the method {tilde over(PK)}{(α,β,γ,δ,ε):α={haeck over (ƒ)}_(O) _(j) (β,γ)Λe₁ ^((O) ^(_(i))^(,O) ^(_(j)) ⁾=Enc_(P) _(U) _(^(O)) ^(_(i)) (β,δ)Λ1=Ver(α,ε, P_(O) _(j))} is not an ordinary proof of knowledge as described at the beginning.The reason is that the user does not known the value γ because thisvalue is shared between the user and the designated verifier (hereO_(i)): from decrypting z the designated verifier O_(i) knows a value,say s_(i), such that {circumflex over (P)}_(U) ^(O) ^(_(j)) ={haeck over(ƒ)}_(O) _(j) (S_(O) _(j) , s_(i)⊕S), where S and S_(O) _(j) secretsknown only to U. Therefore, O_(i) and U can only together execute theabove proof which now becomes a “multi-party computation” where both Uand O_(i) have secret inputs. The output of the computation will be 1 ifand only if the secret inputs α,β,γ,δ,ε of the two parties satisfyα={haeck over (ƒ)}_(O) _(j) (β,γ)Λe₁ ^((O) ^(_(i)) ^(,O) ^(_(j))⁾=Enc_(P) _(U) _(^(O)) ^(_(i)) (β,δ)Λ1=Ver(α,ε, P_(O) _(j) ).Technically, this can for instance be realized using techniquesdescribed in M. Ben-Or, S. Goldwasser, and A. Wigderson; Completenesstheorems for non-cryptographic fault-tolerant distributed computation;In Proc. 20th Annual ACM Symposium on Theory of Computing (STOC), pages1-10, 1988.

[0166] In order to allow the showing of a credential to a verifier Vunder “multiple-show” the third method is revised as follows:

[0167] 0′″″. (new) U chooses random S′ and r, and computes z={haeck over(z)}_(U) ^((O) ^(_(j)) ^(,V))★Enc_(P) _(V) ({haeck over (S)},r) andS={haeck over (S)}_(U) ^(O) ^(_(j)) ⊖S′, where ⊖ is defined as theinverse operation of ⊕. U and sends z to V.

[0168] 1′″″. U proves to V that it established a public key with O_(j),and that U owns a designated verifier credential by O_(j). Moreformally, U proves V the following

{tilde over (PK)}{(α,β,γ,δ):α={haeck over (ƒ)}_(O) _(j)(β,γ)Λ1=Ver(α,δ,P _(O) _(j) )}

[0169] With respect to the method {tilde over (PK)}{(α,β,γ,δ):α={haeckover (ƒ)}_(O) _(j) (β,γ)Λ1=Ver(α,δ,P_(O) _(j) )} the same remark asaforementioned applies.

[0170] The methods provided in section can easily be adapted such that acredential can be used for several designated verifiers. This can beachieved by having the issuing party encrypt their {haeck over (S)} foreach of the designated verifiers. Thus the users would obtain a {haeckover (z)}_(U) ^((O) ^(_(i)) ^(,V) ^(_(k)) ⁾ for each of these verifiers.

[0171] Of course, all features can be added as well.

[0172] For some applications it might be necessary that issuedcredentials are consistent. That is if some friends that trust eachother pool their credentials they might get some credentials they mightnot be able each individual might not be able to get otherwise. Whereasthis is not a problem for, e.g., access to a database it is forcredentials such as driver's licenses.

[0173] To enforce that credentials are consistent, we can require that apart of a user's secret remains the same for all pseudonym shegenerates. Thus the function ƒ_(O) _(i) needs to take two arguments,i.e., ƒ_(O) _(i) (•,•). Now, a user is required to prove that for allpseudonym of which she proves possession of the first argument tofunctions ƒ_(O) _(i) are the same.

[0174] Steps 1 of the first method need to be modified as follows, inorder to enter the pseudonym system, i.e., to register with the CA.

[0175] 1′″″. U chooses a master secret keys S_(U) ^(M), and a secondsecret key S_(U) ^(CA), computes the public keys P_(U)^(CA)=ƒ_(CA)(S_(U) ^(M), S_(U) ^(CA)), and sends P_(U) ^(CA) to CA.

[0176] The step 2 has to be adapted to register with O_(i) and to obtaina credential from O_(i), i>1, that is, steps 2a and 2b are as follows.Note that it can be decided separately for each execution of step 2whether local revokability is required or not, i.e., whether the step isexecuted with the additions below, or not.

[0177] 1′″″. U chooses a new (random) secret key S_(U) ^(O) ^(_(i)) ,computes P_(U) ^(O) ^(_(i)) =ƒ_(O) _(i) (S_(U) ^(M),S_(U) ^(O) ^(_(i))), and sends P_(U) ^(O) ^(_(i)) to O_(i).

[0178] 2b″″″. U proves to O_(i) that it established a public key withO_(j), that the corresponding secret key is encrypted in e₁ ^((O)^(_(i)) ^(,O) ^(_(j)) ⁾ under the public key P_(U) ^(O) ^(_(i)) and thatU owns a credential by O_(j) (w.r.t. the public key U established withO_(j)). More formally, U proves V the following

PK{(α,β,γ,δ,ε,86 ):α=ƒ_(O) _(j) (ε,β)Λe ₁ ^((O) ^(_(i)) ^(,O) ^(_(j)) ⁾=Enc _(P) _(U) _(^(O)) ^(_(i)) (β,γ)Λ1=Ver(α,δ,P _(O) _(j) )ΛP _(U) ^(O)^(_(i)) =ƒ_(O) _(i) (ε,ξ)}

[0179] Note that because the master secret key is the same for allpseudonyms, it is not needed to encrypt it in e₁ ^((O) ^(_(i)) ^(,O)^(_(j)) ⁾.

[0180] Showing a credential to a verifier V (Multiple show) works asfollows:

[0181] 1″″″U proves to V that it established a public key with O_(j),and that U owns a designated verifier credential by O_(j). Moreformally, U proves O_(i) the following

PK{(α,β,γ,δ):α=ƒ_(O) _(j) (β,γ)Λ1=Ver(α,δ,P _(O) _(j) )}

[0182] The fact that now pseudonyms of the same users contain the samemaster secret key allows a user to prove possession of severalcredential without first establishing a pseudonym with the verifier.Assume that U wants to prove V possession of credentials be O_(j) andO_(k). Then third method becomes as follows.

[0183] 1′″″″. U proves to V that it established a public key with O_(j)and O_(k), and that U owns a designated verifier credential by O_(j) andO_(k) More formally, U proves O_(i) the following

PK{(α,β,γ,δ,ε, ζ,η):α=ƒ_(O) _(j) (β,γ)Λ1=Ver(α,δ,P _(O) _(j) )Λε=ƒ_(O)_(k) (β,ζ)Λ1=Ver(ε,η,P _(O) _(j) )}

[0184] For the adaptions described in this section, it should obvioushow the methods look like when combined with the other extensions.

[0185] Encoding an expiration date or other personalized attribute intoa credential can be done in several ways. They could be encoded in theusers' secret key S_(U) ^(O) ^(_(i)) , the public keys P_(U) ^(O)^(_(i)) , or into the actual credential itself, e.g., c_(U) ^(O) ^(_(i))=Sig(P_(U) ^(O) ^(_(i)) ∥attr, P_(O) _(i) ), where attr stands for theattribute that is checked. Thus, whenever a user proves the possessionof a credential, he needs also to prove that the required attr isproperly encoded. For the latter, the term 1=Ver(α,δ,P_(O) _(j) ) in thevarious PK's would become 1=Ver(α∥attr,δP_(O) _(j) ).

[0186] If the showing methods are interactive, the party to whom a userproves possession of a credential cannot convince a third party that themethod actually took place. This is due to the zero-knowledge propertyof the PK (sub-)methods. In case it is required that a third party canbe convinced that a method took place, one can turn the PK submethodsinto the corresponding non-interactive SPK's. The message m that getssigned with such a SPK should contain all relevant information relatedto the respective instance of the showing method.

[0187] A scheme is said to provide pseudonymity only, if differentshowing of credentials are linkeable and non-anonymous. Our system canbe used in such a way, if we require that whenever a users provespossession of a credential he also provides the public key establishedwith the issuing organization and the credential in clear.

[0188] Previous pseudonym systems obtained PKI-assurednon-transferability by requiring that all secret keys of users areconstructed such each of them contains as a part the “external secretkey” S_(U) ^(PKI). Thus, when a user transfers a credential henecessarily also needs to transfer the external secret key. Thismechanism could of course also be used in our scheme (and be combinedwith the all-or-nothing transferability or any of the other features wedescribed). If this mechanism is used the encryptions e₁ ^((O) ^(_(j))^(,O) ^(_(i)) ⁾ would no longer be necessary.

[0189] In the following we provide a description of how the credentialsystem can be implement more efficiently. Before we can do so, however,we need to provide some building blocks.

[0190] Our construction is based on the decisional Diffie-Hellmanassumption and the strong RSA assumption. It is provably secure in therandom oracle model. In this section, we outline some of the lesswell-known technical points that will be used when we describe ourprotocols.

[0191] The flexible RSA problem is the following. Let n=pq be a randomlygenerated RSA modulus. Let a random element z from Z_(n)* be given. Findan element uεZ_(n)* and a number eεZ_(>1) such that z≡u^(e) (mod n). Thestrong RSA assumption (SRSA) is that this problem is hard to solve. Itis stronger than the traditional RSA assumption which states that givena modulus n and an exponent e it is hard to find u, zεZ_(n)* such thatz≡u^(e) (mod n). Although both assumptions are stronger than assuminginteger factorization to be hard, the only known way of solving therespective problems involves factoring the modulus.

[0192] The strong RSA assumption was independently introduced by Barićand Pfitzmann (Barić and Pfitzmann, 1997) and by Fujisaki and Okamoto(Fujisaki and Okamoto, 1997) and has subsequently proved instrumentalfor constructing existentially unforgeable signature schemes secureagainst adaptive chosen message attacks (Cramer and Shoup, 1999; Gennaroet al., 1999), and for constructing other important primitives such asgroup signatures (Ateniese et al., 2000; Camenisch and Michels, 1998)and verifiable secret sharing (Fujisaki and Okamoto, 1998).

[0193] Let G=(g) denote a group of prime order q. The most basicprotocol we consider is a zero-knowledge proof of knowledge of thediscrete logarithm of some group element yεG to the base g (Chaum etal., 1988; Schnorr, 1991). We shortly recall this protocol and itsproperties: The prover knowing x=log_(g)y sends the verifier thecommitment t:=g^(r), where rε_(R) Z_(q). Then, the verifier sends theprover a random challenge cε_(R){0,1}^(k) which he answers with theresponse s:=r−cx (mod q). (The integer k≧1 is a security parameter.) Theverifier accepts if t=g^(s)y^(c). Triples (t,c,s) with t=g^(s)y^(c) arecalled accepting triples. As x=log_(g)y can be computed from twoaccepting triples (t,c,s) and (t,{dot over (c)},{dot over (s)}) withc≠{dot over (c)}, i.e., x:=(s−{dot over (s)})({dot over (c)}−c)⁻¹ (modq), this protocol is a proof of knowledge of log_(g)y. Furthermore, theprotocol is honest-verifier zero-knowledge.¹ Using notation from(Camenisch and Stadler, 1997), this protocol is denoted

PK{(α):y=g ^(α)},

[0194] which can be read as “zero-knowledge Proof of Knowledge of αvalue a such that y=g^(α) holds.” The convention is that Greek lettersdenote the quantity the knowledge of which is being proved, while allother parameters are known to the verifier. Using this notation, theproof can be described by just pointing out its aim while hiding alldetails. This helps to see what is proved and to understand the designof higher-level protocols.

[0195] These kinds of proofs of knowledge (PK) can be turned intosignature schemes by the so-called Fiat-Shamir heuristic (Fiat andShamir, 1987). That is, the prover determines the challenge c byapplying a collision-resistant hash-function H to the commitment t andthe message m that is signed, i.e., c=H(t,m), and then computes theresponse as usual. The resulting signature consists of the challenge andthe response. We denote such Signature schemes based on a zero-knowledgeProof of Knowledge (SPK) similarly as the PK's, e.g.,SPK{(α):y=g^(α)}(m). Such SPK's can be proved secure in the randomoracle model (Bellare and Rogaway, 1993; Pointcheval, 1996) given thezero-knowledge and validity (soundness) properties of the underlyingPK's.

[0196] In this paper we apply such PK's and SPK's to the group ofquadratic residues modulo a composite n, i.e., G=QR_(n). This choice forthe underlying group has some consequences. First, the protocols areproofs of knowledge under the strong RSA assumption (Fujisaki andOkamoto, 1997). Second, the largest possible value 2^(k)−1 of thechallenge c must be smaller that the smallest factor of G's order. Thisissue can be addressed by assuring that n is the product of twoequal-sized safe primes, i.e., primes p and q such that p′ (p−1)/2 andq′=(q−1)/2 are prime (such p′ and q′ are called Sophie Germain primes).Then the order of QR_(n) will be p′q′ and values k<(log{squareroot}{square root over (n)})−4 are fine. Third, soundness needs specialattention in case the verifier is not equipped with the factorization ofn as then deciding membership of QR_(n) is believed to be hard. Thus theprover needs to convince the verifier that the elements he presents areindeed quadratic residues, i.e., that the square roots of the presentedelements exist. This can in principle be done with a protocol by Fiatand Shamir (Fiat and Shamir, 1987). However, often it is sufficient tosimply execute PK{(α):y²=(g²)^(α)} instead of PK{(α):y=g^(α)}. Thequantity a is defined as log_(g) _(²) y², which is the same as log_(g)yin case y is a quadratic residue.

[0197] The following lists and reviews briefly those extensions of thebasic PK{(α):y=g^(α)} that we need as building blocks. We also castthese extensions in the notation explained above.

[0198] A proof of knowledge of a representation of an element yεG withrespect to several bases z₁, . . . , z_(υ)εG (Chaum et al., 1988) isdenoted PK{(α₁, . . . ,α₁):y=z₁ ^(α) ^(₁) ·. . . ·z_(υ) ^(α) ^(_(υ)) }.

[0199] A proof of equality of discrete logarithms of two group elementsy₁, y₂εG to the bases gεG and hεG, respectively, (Chaum, 1991; Chaum andPedersen, 1993) is denoted PK{(α):y₁=g^(α)Λy₂=h^(α)}. Generalizations toprove equalities among representations of the elements y₁, . . .,y_(w)εG to bases g₁, . . . ,g_(υ)εG are straight forward (Camenisch andStadler, 1997).

[0200] A proof of knowledge of a discrete logarithm of yεG with respectto gεG such that log_(g)y that lies in the integer interval [a,b] isdenoted by PK{(α):y=g^(α)Λαε[a,b]}. Under the strong RSA assumption andif it is assured that the prover is not provided the factorization ofthe modulus (i.e., is not provided the order of the group) this proofcan be done efficiently (Boudot, 2000) (it compares to about sixordinary

[0201] The previous protocol can also be used to prove that the discretelogarithms of two group elements y₁εG₁,y₂εG₁ to the bases g₁εG₁ andg₂εG₂ in different groups G₁ and G₂ are equal (Brickell et al., 1988;Camenisch and Michels, 1999b). Let the order of the groups be q₁ and q₂,respectively. This proof can be realized only if both discretelogarithms lie in the interval [0,min{q₁,q₂}]. The idea is that theprover commits to the discrete logarithm in some group, say G=(g)=(h)the order of which he does not know, and then executePK{(α,β):y_(1 ^(G) ¹ g) ₁ ^(α)Λy_(2 ^(G) ² g) ₂ ^(α)ΛC ^(G)g^(α)h^(β)Λαε[0,min{q₁,q₂}]}, where C is the commitment. This kind ofprotocol generalizes to several different groups, to representations,and to arbitrary modular relations.

[0202] Verifiable encryption is a two-party protocol between a proverand encryptor P and a verifier and receiver V. Their common inputs are apublic encryption key E, a public value υ, and a binary relation R onbit strings. As a result of the protocol, V either rejects or obtainsthe encryption e of some value s under E such that (s,υ)εR. Forinstance, R could be the relation (s,g^(s))⊂Z_(q)×G. The protocol shouldensure that V accepts an encryption of an invalid s only with negligibleprobability and that V learns nothing beyond the fact that theencryption contains some s with (s,υ)εR. The encryption keyεtypicallybelongs to a third party, which is not involved in the protocol at all.

[0203] Generalizing the protocol of Asokan et al. (Asokan et al., 2000),Camenisch and Damg{dot over (a)}rd (Camenisch and Damg{dot over (a)}rd,1998) provide a verifiable encryption scheme for all relations R thathave an honest-verifier zero-knowledge three-move proof of knowledgewhere the second message is a random challenge and the witness can becomputed from two transcripts with the same first message but differentchallenges. This includes most known proofs of knowledge, and all proofsabout discrete logarithms from the previous section in particular.

[0204] Their verifiable encryption schemes is itself a three-move proofof knowledge of the encrypted witness s and is computationallyzero-knowledge if a semantically secure encryption scheme is used(Camenisch and Damg{dot over (a)}rd, 1998).

[0205] The basic idea of their scheme is that the prover starts the PKprotocol for the relation he wants to prove, i.e., computes thecommitment t. Then, he computes the responses so and s₁ to thechallenges c=0 and c=1, encrypts these two responses under public key E,and sends these encryptions to the verifier. Receiving these, theverifier randomly chooses one of them and asks the prover to open it,thus obtaining a response to either c=0 or c=1. Finally the verifieraccepts if the response is valid in the PK protocol w.r.t. thecorresponding challenge. This procedure needs to be repeatedsufficiently many times to obtain validity (i.e., such that the verifieris assured that at least on of the unopened encryptions also contains avalid response). It is easy to see that, assuming that the adversarywill never gain access to the secret key for the underlying encryptionscheme, the protocol is computational zero-knowledge if the PK is so andthe encryption scheme is semantically secure. On the other hand, if thethird party opens the second encryption as well, one gets two acceptingtriples and hence can compute the witness by the properties of theunderlying PK. We refer to Camenisch and Damg{dot over (a)}rd (Camenischand Damg{dot over (a)}rd, 1998) for further details and efficiencyimprovements.

[0206] We use a similar notation for verifiable encryption as for thePK's and denote by, e.g.,

e:=VE(ElGamal,(g,y)){ξ:υ=g ^(ξ)}

[0207] the verifiable encryption protocol for the ElGamal scheme,whereby log_(g)υ is encrypted in e under public key (y,g). Note that eis not a single encryption, but the verifier's entire transcript of theprotocol and contains several encryptions, commitments and responses ofthe underlying PK.

[0208] Our scheme requires each user to encrypt each of her secret keysunder one of her public keys, thereby creating “circular encryptions”.However, the definition of a semantically secure encryption scheme doesnot provide security for such encryptions. Moreover, it is not knownwhether circular security is possible under general assumptions. In thisparagraph we provide for the first time a construction for an encryptionscheme that provides security for circular encryptions in the randomoracle model given any semantically secure encryption scheme.

[0209] A semantically secure scheme G=(E,D) on message space {0,1}^(l),is circular-secure if for all probabilistic polynomial time families ofTuring machines {A_(k)}, for all sufficiently large k, for alln=poly(k), for all assignments to (i₁, . . . ,i_(n)) and (j₁, . . .,j_(n)),

|Pr[A _(k)(C,E ₁ , . . . ,E _(n))=0|(E ₁ ,D ₁)ε_(R) G, . . . ,(E _(n) ,D_(n))ε_(R) G;C=(E _(i) ₁ (0), . . . ,E _(i) _(n) (0))]−Pr[A _(k)(C,E ₁ ,. . . ,E _(n))=0|(E ₁ ,D)ε_(R) G, . . . ,(E _(n) ,D _(n))ε_(R) G;C=(E_(t) ₁ (D _(j) ₁ ), . . . ,E _(i) _(n) (D _(j) _(n) ))]|=neg(k)

[0210] (I.e., having access to encryptions of the secret keys does nothelp the adversary in breaking the semantic security of the system.)

[0211] Let H: {0, 1}*→{0, 1}_(k) be a random oracle, and let ⊕ denotethe bitwise XOR operation. Let g=(E, D) be a semantically securecryptosystem. Construct g′=(E′, D′) as follows: generate (E, D)according to g. To encrypt, a message m ε{0, 1}^(k), E′ picks a random rε_(R){0, 1}^(l) and sets E′(m):=(E(r), H(r)⊕m). To decrypt tuple (a, b),D′ computes {tilde over (m)}:=H(D(a))⊕b.

[0212] If g is semantically secure, g′ is a circular-secure.

[0213] As a basis for our circular encryption scheme, we use a variantof ElGamal encryption (ElGamal, 1985) where the public key P=a^(x)b^(υ)is derived from two bases a and b (of possibly unknown order) and twosecret keys x and y. This variant of the ElGamal cryptosystem is knownto be semantically secure under the decisional Diffie-Hellman assumptionThe resulting circular encryption scheme is as follows. Let the orderG=(a)=(b) be≈2^(l). To encrypt a message m ε{0, 1}^(k), choose a randomelement r₁εG and a random integer r₂ε{0, 1}^(2l), and compute theencryption

(u, υ, w, z):=(P ^(r) ^(₂) r ₁ , a ^(r) ^(₂) , b ^(r) ^(₂) , H(r ₁)⊕m).

[0214] Decryption works by computing${\mathcal{H}\left( \frac{u}{v^{x}w^{y}} \right)} \oplus {z.}$

[0215] We denote this encryption scheme by CEIG and write, e.g.,VE(CEIG, (H, a, b, P)){ξ: υ=g^(ξ)} when using it for verifiableencryption.

[0216] Our pseudonym system requires a prover to verifiably encryptunder a public key that is not revealed to the verifier, that is, theverifier gets to see only a commitment to this public key. Moreover, theprover knows the secret key corresponding to this public key.

[0217] Recall that verifiable encryption protocol described earlierdemands that prover opens encryptions. In case the verifier knows theencryption public key, the prover can provably open an encryption justby providing the message and all random choices she made. The verifierthen just re-runs the encryption algorithm and checks whether thisresults in the same encryption. In case the verifier does not know theencryption public key, however, this does not work. In the following wedescribe how the prover can nevertheless convince the verifier that anencryption contains the value she claims. We will use the sameencryption scheme as in the previous section, i.e., P=a^(x)b^(y) servesas public key, and x and y as the corresponding secret keys. LetC=Pg^(r) be the commitment to P, where g is a third random generator ofG=(a)=(b), and let (u, υ, w, z)=(P^(r) ^(₂) r₁, a^(r) ^(₂) , b^(r) ^(₂), H(r₁)⊕m) be an encryption of m as above. To convince the verifier thatm is indeed encrypted in (u, υ, w, z) under the public key committed toby C, the prover reveals r₁ and engages with the verifier in

PK{(α, β, γ, δ): C=a ^(α) b ^(β) g ^(γ) Λυ=a ^(δ) Λw=b ^(δ) Λu/r ₁ =υ^(α) w ^(β)}.

[0218] The verifier further needs to check if z=H(r₁)⊕m.

[0219] In the following, we write, e.g., VE(C-CEIG, (H, a, b, g,C)){ξ:υ=g^(ξ)} for verifiable encryption with committed encryptionpublic key.

[0220] We first describe our basic pseudonym system with all-or-nothingand PKI-assured non-transferability. The basic system compromisesprotocols for a user to join the system, register with an organization,obtaining multi-show credentials, and showing such credentials. We willthen describe extensions that allow for one-show credentials as well andfor revocability.

[0221] Throughout we assume that the users and organizations areconnected by perfectly anonymous channels. Furthermore, we assume thatfor each protocol the organizations authenticates itself towards theusers and that they establish a secure channel between them for eachsession. For any protocol we describe, we implicitly assume that is somecheck or sub-protocol (e.g., some proof of knowledge PK) fails for someparty, it informs the other participating parties of this and stops.

[0222] In the following we use CA and O₀ as interchangeable names forthe pseudonym system's certification authority.

[0223] Our basic system is composed of the protocols presented below inthe following way.

[0224] System setup: The system parameters are agreed upon and allorganizations (including the CA) choose their keys and make the publickeys available. It is possible that organizations (apart from the CAjoin and leave at any time.

[0225] A User Joining the System/Registering with the CA:

[0226] 1. User U identifies herself towards the CA who checks that sheis eligible to join the system.

[0227] 2. U chooses a random nym master secret x_(u)εΓ.

[0228] 3. They run Protocol 1 to establish U pseudonym P_(U) ^(CA) withthe CA.

[0229] 4. Depending on whether we want to have PKI-assurednon-transferability, U and CA run Protocol 5.

[0230] 5. O_(i) grants U a credential, i.e., they run Protocol 2.

[0231] A User Registering with Organization O_(i) and Obtaining aCredential from O_(i):

[0232] 1. U and O_(i) run Protocol 1 to establish U pseudonym P_(U) ^(O)^(_(i)) with O_(i).

[0233] 2. Let O be the set of organizations of which U must possess acredential in order to obtain a credential from O_(i) For eachO_(j)εO_(i) user U and O_(i) carry out Protocol 4.

[0234] 3. The CA grants U a credential, i.e., they run Protocol 2.

[0235]  Note that the above steps could be executed at different times.

[0236] A User Accessing a Service:

[0237] Case I. Assume that a U wants to access some service from V andthat to do so U needs to hold a credential by O_(j). If this is thecase, U can access the service by executing Protocol 3 with V.

[0238] Case II. In case U is required to hold credential from a set O oforganizations, U must first establish a pseudonym with V, i.e., runProtocol 1, and then run Protocol 4 for each O_(j)εO. If it isunderstood that the established pseudonym is one-time, i.e., if U is notallowed to access the service again just be proving ownership of theestablished pseudonym, U and V need not execute the steps 4:3 and 4:2 ofthe latter protocol.

[0239] The system parameter and key generation work as follows. Forsimplicity we assume some common system parameter: the length of RSAmoduli l_(n), the integer intervals Γ=−]−2^(l) ^(_(Γ)) , 2^(l) ^(_(Γ))[, Δ=]−2^(l) ^(_(Δ)) , 2^(l) ^(_(Δ)) [, Λ=]2^(l) ^(_(Δ)) , 2^(l)^(_(Δ+)) ^(l) ^(_(Σ)) [ such that l_(Δ)=Δl_(Γ) and l_(Γ)=2l_(n), whereΔ>1 is a security parameter, and 2^(l) ^(_(Λ)) >2(2^(2l) ^(_(Γ)) +2^(l)^(_(Γ)) +2^(l) ^(_(Δ)) ), and 2(2^(l) ^(_(Σ)) (2^(2l) ^(_(Γ)) +2^(l)^(_(Δ)) )+2^(l) ^(_(Δ)) )<2^(l) ^(_(Λ)) .

[0240] Each organization O_(i) (including the CA) chooses randoml_(n)/2-bit primes p′_(O) ₁ , q′_(O) _(i) such that p_(O) _(i) =2p′+1and q_(O) _(i) =2q′+1 are prime and sets modulus n_(O) _(i) =p_(O) _(i)q_(O) _(i) . It also chooses random elements a_(O) _(i) , b_(O) _(i) ,d_(O) _(i) , g_(O) _(i) , h_(O) _(i) , εQR_(n) _(O) ^(_(i)) . It storesS_(O) _(i) :=(p_(O) _(i) , q_(O) _(i) ) as its secret keys and publishesP_(O) _(i) :=(n_(O) _(i) , a_(O) _(i) , b_(O) _(i) , d_(O) _(i) , g_(O)_(i) , h_(O) _(i) ) as its public key together with a proof that n_(O)_(i) is the product of two safe primes (see (Camenisch and Michels,1999a) for how the latter can be done) and that the elements a_(O) _(i), b_(O) _(i) , d_(O) _(i) , g_(O) _(i) , h_(O) _(i) lie indeed in QR_(n)_(O) ^(_(i)) , (this can be done by providing their roots; then, tocheck that an element s has order at least p′q′, one needs only to testwhether gcd(s±1, n_(O) _(i) )=1).

[0241] This paragraph describes how a user U establishes a pseudonymwith organization O_(i).

[0242] Let x_(U)εΓ be the U's nym master secret. In case O_(i) is theCA, i.e., U has no yet entered the system, U needs to choose a randomx_(U)ε_(R) Γ before entering the protocol below. We will see later howit is ensured that U uses the same x_(u) with other organizations.

[0243] To establish a pseudonym P_(U) ^(O) ^(_(i)) with O_(i), user Uengages in Protocol 1 with O_(i). The protocol assures that theestablished pseudonym is of the right form, i e. P_(U) ^(O) ^(_(i))=a_(O) _(i) ^(x) ^(_(U)) b_(O) _(i) ^(s) ^(_(U))

, with x_(U)εΓ and s^(U) ^(O) ^(_(i)) εΔ. The value s_(U) ^(O) ^(_(i))is chosen by jointly by O_(i) and U but without O_(i) learning anythingabout both values. Note that this protocol does not assure that U usesthe x_(U) same x_(U) as with other organizations as well; this is takencare of later in Protocol 4.

Protocol 1.

[0244] 1:1. U chooses random r₁ε_(R)Δ and r₂, r₃ε_(R){0, 1}^(2l) ^(_(n)), computes C₁=g_(O) _(i) ^(r) ^(_(l)) h_(O) _(i) ^(r) ^(₂) and C₂=g_(O)_(i) ^(x) ^(_(U)) h_(O) _(i) ^(r) ^(₃) , and sends C₁ to O_(i).

[0245] 1:2. U engages with O_(i) in PK{(α, β, γ, δ): C₁ ²=(g_(O) _(i)²)^(α)(h_(O) _(i) ²)^(β)ΛC₂ ²=(g_(O) _(i) ²)^(γ)(h_(O) _(i) ²)^(δ)}proving that U formed C₁ and C₂ correctly.

[0246] 1:3. O_(i) chooses a random r ε_(R)Δ and sends r to U.

[0247] 1:4. U chooses r₄ε_(R){0, 1}^(l) ^(_(n)) , computes s_(U) ^(O)^(_(i)) =(r₁+r mod (2^(l) ^(_(Δ)) ⁺¹+1))−2^(l) ^(_(Δ)) +1,${\overset{\sim}{s} = \left\lfloor \frac{r_{1} + r}{{2^{l}\Delta^{+ 1}} + 1} \right\rfloor},$

[0248]  P_(U) ^(O) ^(_(i)) =a_(O) _(i) ^(x) ^(_(Ub)) _(O) _(i) ^(S)^(_(U))

, C₃=g_(O) _(i) ^({tilde over (s)})h_(O) _(i) ^(r) ^(₄) , and sendsP_(U) ^(O) ^(_(i)) and C₃ to O_(i).

[0249] 1:5. U engages with O_(i) in

PK{(α, β, γ, δ, ε, ζ, θ, ν): C ₁ ²=(g _(O) _(i) ²)^(α)(h _(O) _(i)²)^(β) ΛC ₂ ²=(g _(O) _(i) ²)^(γ)(h _(O) _(i) ²)^(δ) δC ₃ ²=(g _(O) _(i)²)^(ε)(h _(O) _(i) ²)^(ζ)Λ(P _(U) ^(O) ^(_(i)) )²=(a _(O) _(i) ²)^(γ)(b_(O) _(i) ²)^(θ)Λ(C ₁ ²(g _(O) _(i) ²)^((r−2) ^(l) _(Δ+1)))/(C ₃ ²)⁽²^(l) _(Δ) ⁺¹ ₊₁₎=(g _(O) _(i) ²)^(θ)(h _(O) _(i) ²)^(ζ)ΛγεΓΛθεΔ}

[0250]  proving that U formed P_(U) ^(O) ^(_(i)) and C₃ correctly.

[0251] 1:6. O_(i) stores (P_(U) ^(O) ^(_(i)) )² and P_(U) ^(O) ^(_(i)) .

[0252] 1:7. U stores (P_(U) ^(O) ^(_(i)) )², P_(U) ^(O) ^(_(i)) , ands_(U) ^(O) ^(_(i)) .

[0253] Let us explain the steps of this protocol in more detail. First,U commits to x_(U) and to her contribution r₁ to s_(U) ^(O) ^(_(i)) .She sends O_(i) these commitments and proves to O_(i) that she knows thecommitted values (this proof is necessary already at this point of theprotocol for the security proof to work). After this, O_(i) chooses itscontribution r to s_(U) ^(O) ^(_(i)) and sends it to U, who computess_(U) ^(O) ^(_(i)) and P_(U) ^(O) ^(_(i)) sends P_(U) ^(O) ^(_(i)) toO_(i), and proves that she computes P_(U) ^(O) ^(_(i)) correctly, i.e.,that s_(U) ^(O) ^(_(i)) lies in Δ and is computed correctly from r andthe value she committed to earlier in C₂. For technical reasons, weconsider P and {tilde over (P)} to be the same pseudonym if p²={tildeover (p)}².

[0254] We now describe how a credential can be generated efficiently.

[0255] A credential a pseudonym P issued by O_(i) is a pair (c, e)εZ*_(n) _(O) ^(_(i)) such that (Pd_(O) _(j) )^(e)≡c (mod n_(O) _(i) ).To generate a credential on a priorly established pseudonym P_(U) ^(O)^(_(i)) , organization O_(i) and user U carry out the followingprotocol.

Protocol 2.

[0256] 2:1. U identifies as owner of P_(U) ^(O) ^(_(i)) by engaging inprotocol PK{(α, β): (P_(U) ^(O) ^(_(i)) )²=(a_(O) _(i) ²)^(α)(b_(O) _(i)²)^(β)} with O_(i).

[0257] 2:2. O_(i) looks up P_(U) ^(O) ^(_(i)) , chooses a random primee_(U) ^(O) ^(_(i)) ε_(R)Λ, computes c_(U) ^(O) ^(_(i)) =(P_(U) ^(O)^(_(i)) d_(O) _(i) )^(1/e) ^(_(U)) ^(O)

mod n_(O) _(i) , sends c_(U) ^(O) ^(_(i)) to U, and stores c_(U) ^(O)^(_(i)) together with P_(U) ^(O) ^(_(i)) .

[0258] 2:3. U checks whether c_(U) ^(O) ^(_(i)) ^(e)

≡P_(U) ^(O) ^(_(i)) d_(O) _(i) (mod n_(O) _(i) ) and stores (c_(U) ^(O)^(_(i)) , e_(U) ^(O) ^(_(i)) ) together with P_(U) ^(O) ^(_(i)) .

[0259] Step 2:1 can of course be omitted if the Protocol 2 takes placein the same session as some other protocol where U already provedownership of P_(U) ^(O) ^(_(i)) .

[0260] The following paragraph describes how showing a single credentialcan be implemented efficiently.

[0261] Assume a user U wants to prove possession of a certificate byorganization O_(j) to a verifier V. They engage in the followingprotocol.

Protocol 3.

[0262] 3:1. U chooses r₁, r₂ε_(R){0, 1}^(2l) ^(_(n)) , computes A=c_(U)^(O) ^(_(i)) h_(O) _(j) ^(r) ^(₁) and B=h_(O) _(j) ^(r) ^(₁) g_(O) _(i)^(r) ^(₂) , and sends A, B to V.

[0263] 3:2. U engages with V in

PK{(α, β, γ, δ, ε, ζ, ξ): d _(O) _(j) ²=(A ²)^(α)(1/(a _(O) _(j)²))^(β)(1/(b _(O) _(j) ²))^(γ)(1/(h _(O) _(j) ²))^(δ) ΛB ²=(h _(O) _(j)²)^(ε)(g _(O) _(j) ²)^(ζ)1=(B ²)^(α)(1/(h _(O) _(j) ²))^(δ)(1/(g _(O)_(j) ²))^(ξ)ΛβεΓΛγεΔΛαεΛ}.

[0264] The PK in step 3:2 proves that U possess a credential issued byO_(i) on some pseudonym registered with O_(j).

[0265] The following paragraph describes how showing a credential withrespect to a pseudonym can be implemented efficiently.

[0266] Assume a user U wants to prove possession of a certificate byorganization O_(j) to an organization O_(i) with whom U establishedP_(U) ^(O) ^(_(i)) . That means O_(i) not only wants to be assured thatU owns a credential by O_(j) but also that the pseudonym connected withthis credential contains on the same master secret key as P_(U) ^(O)^(_(i)) . Moreover, the protocol also assures that if U would give thesecrets of P_(U) ^(O) ^(_(i)) to one of her friends, then she would alsoreveal the secret keys of the pseudonym established with O_(j) and viceversa, whereby all-or-nothing transferability gets assured. Thus U andO_(i) engage in the following protocol (in which we assume that O_(i)has already established that P_(U) ^(O) ^(_(i)) εQR_(n) _(O) ^(_(i)) ).

Protocol 4.

[0267] 4:1. U chooses random r₁, r₂, r₃ε_(R){0, 1}^(2l) ^(_(n)) ,computes A=c_(U) ^(O) ^(_(i)) h_(O) _(j) ^(r) ^(₁) , B=h_(O) _(j) ^(r)^(₁) g_(O) _(j) ^(r) ^(₂) , and C=P_(U) ^(O) ^(_(j)) h_(O) _(j) ^(r)^(₃) , and sends A, B, C to O_(i).

[0268] 4:2. U engages with O_(i) in

PK{(α, β, γ, δ, ε, ζ, ξ, η, Φ): d _(O) _(j) ²=(A ²)^(α)(1/(a _(O) _(j)²))^(β)(1/(b _(O) _(j) ²))^(γ)(1/(h _(O) _(j) ²))^(δ) ΛB ²=(h _(O) _(j)²)^(ε)(g _(O) _(j) ²)^(ζ)Λ1=(B ²)^(α)(1/(h _(O) _(j) ²))^(δ)(1/(g _(O)_(j) ²))^(ξ)Λ(P _(U) ^(O) ^(_(i)) )²=(a _(O) _(i) ²)^(β)(b _(O) _(i)²)^(η) ΛC ²=(a _(O) _(j) ²)^(β)(b _(O) _(j) ²)^(γ)(h _(O) _(j)²)^(Φ)ΛβεΓΛγεΔΛαεΛ}.

[0269] 4:3. U and O_(i) engage in the verifiable encryption protocols

υ_((P) _(U) _(^(o)) _(O) _(j)) =VE(CEIG, (H, (a _(O) _(i) )² b _(O) _(i)², (P _(U) ^(O) ^(_(i)) )²)){(α, β, γ): C ²=(a _(O) _(j) ²)^(α)(b _(O)_(j) ²)^(β)(h _(O) _(j) ²)^(γ)}

[0270] and

W _((P) _(U) _(^(o))

O _(j) )=VE(C-CEIG, (H, a _(O) _(j) ² , b _(O) _(j) ² , h _(O) _(j) ² ,C ²)){(α, β): (P _(U) ^(O) ^(_(i)) )²=(a _(O) _(i) ²)^(α)(b _(O) _(i)²)^(β)}.

[0271] 4:4. O_(i) publishes the list (υ_((P) _(U) _(^(o))

O _(j) , w_((P) _(U) _(^(o))

O _(j) , P_(U) ^(O) ^(_(i)) , e_(U) ^(O) ^(_(i)) , c_(U) ^(O) ^(_(i)) ).

[0272] The first two steps of this protocol are similar to the ones ofProtocol 3, the difference being that here U also commits in C to thepseudonym established with O_(j), and proving that this is indeed thecase. This commitment is need for the encryption is step 4:3. In thisstep all-or-nothing transferability is achieved by (1) verifiablyencrypting the secrets keys of the pseudonym U established with O_(j)using P_(U) ^(O) ^(_(i)) as the encryption public key (cf. Section ) and(2) verifiably encrypt the secret keys of P_(U) ^(O) ^(_(i)) using thepseudonym committed in C² as encryption public key (cf. Section ).

[0273] In case we want to have PKI-assured non-transferability only, thesteps 4:3 and 4:2 can be omitted. Furthermore, C is not necessary eitherand can be dropped.

[0274] In this paragraph we show how to ensure that if a user gives awayhis master secret x_(U), then he will also reveal the secret key of an“external” valuable public key PK_(U). This is achieved by having the CAask for this public key PK_(U) and check whether this is the user'spublic key (e.g., via some external certificate) and then require theuser to verifiable encrypt the corresponding secret key such that it canbe

[0275] We give an example for how this protocol look in case that Uexternal public key Y_(U) is discrete logarithm based, i.e., Y_(U)=g^(x)for some generator g. Other cases are similar.

Protocol 5.

[0276] 5:1. U sends Y_(U) and g to CA together with the certificate onY^(U) of the external PKI. The CA checks the validity of Y_(U).

[0277] 5:2. U and CA engage in the protocol

w _((P) _(U) _(^((O)) ^(_(i)) ^(, O) ^(_(j)) ⁾ =VE(CEIG, (H, a _(O) ₀ ², b _(O) ₀ ², (P _(U) ^(O) ^(₀) )²)){(α, β): Y _(U) =g ^(α)}.

[0278] The following describes how one show credentials can beimplemented efficiently. The credential we considered so far can beshown an unlimited number of times. However, for some services it mightbe required that a credential can only be used once. Of course, onepossibility would be that a user just reveals the credential to theverifier in clean. This, however, would mean that the user is not fullyanonymous any more as the verifier and the organization then both knowthe credential and thus can link the transaction to the user'spseudonym. Traditionally this problem has been solved using so-calledblind signatures (Chaum, 1983). Here, we provide a novel and alternativeway to approach this problem, i.e., instead of blinding the signer weblind the verifier. This approach could also be used to implementanonymous e-cash (just consider a credential to be money).

[0279] In the following we describe the general idea how it is realized.The resulting changes that would have to be made to the individualprotocol we do not provide.

[0280] Each organization published an additional provably randomgenerator z_(O) _(i) εQR_(n) _(O) ^(_(i)) .

[0281] A user's pseudonym is formed slightly different: P_(U) ^(O)^(_(i)) =a_(O) _(i) ^(x) ^(_(U)) b_(O) _(i) ^(s) ^(_(U)) ^(O)

z_(O) _(i) ^(r) ^(_(U)) ^(O)

, where r_(U) ^(O) ^(_(i)) is chosen be O_(i) and U together in the sameway as is s_(U) ^(O) ^(_(i)) .

[0282] Credential are issued in the very same way as before, i.e., Uobtains c^(U) ^(O) ^(_(i)) and e_(U) ^(O) ^(_(i)) such that c_(U) ^(O)^(_(i)) ^(e) ^(_(U))

≡P_(U) ^(O) ^(_(i)) d_(O) _(i) (mod n_(O) _(i) ) holds.

[0283] When proving possession of a one-show credential issued by O_(j)(with respect to a pseudonym or not), the user provides the verifier V(which might be an organization) the value H_(U) ^(O) ^(_(j)) =h_(O)_(j) ^(r) ^(_(U)) ^(O) and proves that it is formed correctly w.r.t. tothe pseudonym U established with O_(j). Of course, the various PK's inthese protocols have to be adapted to reflect the different form of thepseudonym U holds with O_(j).

[0284] Now, different usages of the same credential can be linked toeach other but not to the user's pseudonym with the issuingorganization. This allows to prevent users from using the samecredential several times, if the verifier checks with the issuingorganization whether H_(U) ^(O) ^(_(j)) was already used or not, similaras it is done for anonymous “on-line” e-cash. Off-line checking could bedone as well. As here double usage can only be detected but notprevented, a mechanism for identifying “double-users” is required. Thiscould for instance be achieved using revocation as described in theprevious section, or using similar techniques that are used in foranonymous “off-line” e-cash (e.g., (Brands, 1993)). The latter could bedone such that using a one-show credential twice would expose the user'ssecret keys connected with corresponding pseudonym. Together withnon-transferability this would be quite a strong incentive for the usersnot to use one-show credentials twice.

[0285] We now describe how local and global revocation can beimplemented efficiently. To enable local and global revocation eachorganization needs a revocation manager. Given the transaction of aprotocol where some user proved possession of a credential issued byorganization O_(i), this organization's revocation manager R_(i) willhave the task to reveal the pseudonym under which the user is known toO_(i) Each of these managers needs to choose keys of some non-malleablepublic key encryption scheme. The managers' public keys become part ofthe respective organizations' public keys. In the following we describehow the protocols for proving possession of a credential must be adaptedsuch that local revocation is possible using Cramer-Shoup encryption(Cramer and Shoup, 1998). We then discuss global revocation. We remarkthat it can be decided at the time when the possession of a credentialis proved whether local and/or global revocation shall be possible forthe transaction at hand.

[0286] Setup: Each R_(i) chooses a group H_(R) _(i) of (large) primeorder q_(R) _(i) , two provably random generators g_(R) _(i) and h_(R)_(i) , and five secret keys x_((1,R) _(i) ₎, . . . , x_((5,R) _(i)₎ε_(R) Z_(qR) _(i) and computes (Y_((1,R) _(i) ₎, Y_((2,R) _(i) ₎,Y_((3,R) _(i) ₎):=(g_(R) _(i) ^(x)

(1,R

) h_(R) _(i) ^(x)

(2,R

) , g_(R) _(i) ^(x) ^(_((3,R ))) h_(R) _(i) ^(x)

(4,R

) )g_(R) _(i) ^(x) ^(_((5,R ))) ) as his public key.

[0287] Protocol 1 is extended by the following steps.

[0288] 1:8. U computes P_(U) ^(R) ^(_(i)) =g_(R) _(i) ^(x) ^(_(U)) h_(R)_(i) ^(s) ^(_(U)) ^(O)

if i≠0 and P_(U) ^(R) ^(_(o)) =g_(R) _(o) ^(x) ^(_(U)) otherwise. Usends P_(U) ^(R) ^(₄) to O_(i).

[0289] 1:9. U engages with O_(i) in

PK{(α, β): (P _(U) ^(O) ^(_(i)) )²=(a _(O) _(i) ²)^(α)(b _(O) _(i)²)^(β) ΛP _(U) ^(R) ^(_(i)) =g _(R) _(i) ^(α) h _(R) _(i) ^(β)}

[0290]  if i≠0 and

PK{(α, β): (P _(U) ^(O) ^(₀) )²=(a _(O) ₀ ²)^(α)(b _(O) ₀ ²)^(β) ΛP _(U)^(R) ^(₀) =g _(R) ₀ ^(α)}

[0291]  otherwise.

[0292] 1:10. Both O_(i) and U store P_(U) ^(R) ^(_(i)) with P_(U) ^(O)^(_(i)) .

[0293] Let m_(j) be some agreed-upon text describing under whichcondition R_(j) is allowed to revoke the anonymity of the transaction ofwhich the current execution of Protocol 3 or 4 is part of, respectively.In the following we provide the steps to be executed after Protocol 3 or4 in order to get local and/or global revocation.

Protocol 6 (Local Revocation)

[0294] 6:1. U chooses r₁ε_(R) Z_(qR) _(j) , and computes c_((1,U)) ^(R)^(_(j)) :=g_(R) _(j) ^(r) ^(₁) , C_((2,U)) ^(R) ^(_(j)) :=_(R) _(j) ^(r)^(₁) , c_((3,U)) ^(R) ^(_(j)) :=y_((3,R) _(j)) ^(r) ^(₁) P_(U) ^(R)^(_(j)) , and C_((4,U)) ^(R) ^(_(j)) :=y_((1,R) _(j)) ^(r) ^(₁) y_((2,R)_(j) ₎ ^(r) ^(₁) ^(H)

(

) and sends (c_((1,U)) ^(R) ^(_(j)) , c_((2,U)) ^(R) ^(_(j)) , c_((3,U))^(R) ^(_(j)) , c_((4,U)) ^(R) ^(_(j)) to V.

[0295] 6:2. U and V engage in

PK{(α, β, γ, δ, ε): d _(O) _(j) ²=(A ²)^(α)(1/(a _(O) _(j) ²))^(β)(1/(b_(O) _(j) ²))^(γ)(1/(h _(O) _(j) ²))^(δ) Λc _((1,U)) ^(R) ^(_(j)) =g_(R) _(j) ^(ε) , Λc _((2,U)) ^(R) ^(_(j)) =h _(R) _(j) ^(ε) Λc _((3,U))^(R) ^(_(j)) =g _(R) _(j) ^(β) h _(R) _(i) ^(γ) y _((3,R) _(j)) ^(ε) Λc_((4,U)) ^(R) ^(_(j)) =(y _((1,R) _(j) ₎ y _((2,R) _(j) ₎ ^(H)^(_((c ))) )^(ε)}

Protocol 7 (Global Revocation)

[0296] 7:1. U chooses r₂ε_(R) Z_(qR) ₀ and computes c_((1,U)) ^(R) ^(₀):=g_(R) ₀ ^(r) ^(₂) , c_((2,U)) ^(R) ^(₀) :=h_(R) ₀ ^(r) ^(₂) ,c_((3,U)) ^(R) ^(₀) :=y_((3,R) ₀ ₎ ^(r) ^(₂) P_(U) ^(R) ^(₀) ⁾, andc_((4,U)) ^(R) ^(₀) :=y_((1,R) ₀ ₎ ^(r) ^(₂) y_((2,R) ₀ ₎ ^(r) _(²) ^(H)and sends (c_((1,U)) ^(R) ^(₀) , c_((2,U)) ^(R) ^(₀) , c_((3,U)) ^(R)^(₀) c_((4,U)) ^(R) ^(₀) ) to V.

[0297] 7:2. U and V engage in

PK{(α, β, γ, δ, ε): d _(O) _(j) ²=(A ²)^(α)(1/(a _(O) _(j) ²))^(β)(1/(b_(O) _(j) ²))^(γ)(1/(h _(O) _(j) ²))^(δ) Λc _((1,U)) ^(R) ^(₀) =g _(R) ₀^(ε) Λc _((2,U)) ^(R) ^(₀) =h _(R) ₀ ^(ε) Λc _((3,U)) ^(R) ^(₀) =g _(R)₀ ^(β) y _((3,R) ₀ ₎ ^(ε) Λc _((4,U)) ^(R) ^(₀) =(y _((1,R) ₀ ₎ y_((2,R) ₀ ₎ ^(H) ^(_((c ))) )^(ε)}

References

[0298] Asokan, N., Shoup, V., and Waidner, M. (2000). Optimistic fairexchange of digital signatures. IEEE Journal on Selected Areas inCommunications, 18(4):591-610.

[0299] Ateniese, G., Camenisch, J., Joye, M., and Tsudik, G. (2000). Apractical and provably secure coalition-resistant group signaturescheme. In Bellare, M., editor, Advances in Cryptology—CRYPTO 2000,volume 1880 of Lecture Notes in Computer Science, pages 255-270.Springer Verlag.

[0300] Barić, N. and Pfitzmann, B. (1997). Collision-free accumulatorsand fail-stop signature schemes without trees. In Fumy, W., editor,Advances in Cryptology—EUROCRYPT '97, volume 1233 of Lecture Notes inComputer Science, pages 480-494. Springer Verlag.

[0301] Bellare, M. and Rogaway, P. (1993). Random oracles are practical:A paradigm for designing efficient protocols. In First ACM Conference onComputer and Communication Security, pages 62-73. Association forComputing Machinery.

[0302] Boudot, F. (2000). Efficient proofs that a committed number liesin an interval. In Preneel, B., editor, Advances in Cryptology—EUROCRYPT2000, volume 1807 of Lecture Notes in Computer Science, pages 431-444.Springer Verlag.

[0303] Brands, S. (1993). Electronic cash systems based on therepresentation problem in groups of prime order. In Preproceedings ofAdvances in Cryptology—CRYPTO '93, pages 26.1-26.15.

[0304] Brickell, E. F., Chaum, D., Damg ard, I. B., and van de Graaf, J.(1988). Gradual and verifiable release of a secret. In Pomerance, C.,editor, Advances in Cryptology—CRYPTO '87, volume 293 of Lecture Notesin Computer Science, pages 156-166. Springer-Verlag.

[0305] Camenisch, J. and Damg ard, I. (1998). Verifiable encryption andapplications to group signatures and signature sharing. Technical ReportRS-98-32, BRICS, Department of Computer Science, University of Aarhus.

[0306] Camenisch, J. and Michels, M. (1998). A group signature schemewith improved efficiency. In Ohta, K. and Pei, D., editors, Advances inCryptology—ASIACRYPT '98, volume 1514 of Lecture Notes in ComputerScience, pages 160-174. Springer Verlag.

[0307] Camenisch, J. and Michels, M. (1999a). Proving in zero-knowledgethat a number n is the product of two safe primes. In Stern, J., editor,Advances in Cryptology—EURO-CRYPT '99, volume 1592 of Lecture Notes inComputer Science, pages 107-122. Springer Verlag.

[0308] Camenisch, J. and Michels, M. (1999b). Separability andefficiency for generic group signature schemes. In Wiener, M., editor,Advances in Cryptology—CRYPTO '99, volume 1666 of Lecture Notes inComputer Science, pages 413-430. Springer Verlag. Camenisch, J. andStadler, M. (1997). Efficient group signature schemes for large groups.In Kaliski, B., editor, Advances in Cryptology—CRYPTO '97, volume 1296of Lecture Notes in Computer Science, pages 410-424. Springer Verlag.

[0309] Chaum, D. (1983). Blind signatures for untraceable payments. InChaum, D., Rivest, R. L., and Sherman, A. T., editors, Advances inCryptology—Proceedings of CRYPTO '82, pages 199-203. Plenum Press.

[0310] Chaum, D. (1991). Zero-knowledge undeniable signatures. In Damgard, I. B., editor, Advances in Cryptology—EUROCRYPT '90, volume 473 ofLecture Notes in Computer Science, pages 458-464. Springer-Verlag.

[0311] Chaum, D., Evertse, J. -H., and van de Graaf, J. (1988). Animproved protocol for demonstrating possession of discrete logarithmsand some generalizations. In Chaum, D. and Price, W. L., editors,Advances in Cryptology—EUROCRYPT '87, volume 304 of Lecture Notes inComputer Science, pages 127-141. Springer-Verlag.

[0312] Chaum, D. and Pedersen, T. P. (1993). Wallet databases withobservers. In Brickell, E. F., editor, Advances in Cryptology—CRYPTO'92, volume 740 of Lecture Notes in Computer Science, pages 89-105.Springer-Verlag.

[0313] Cramer, R. and Shoup, V. (1998). A practical public keycryptosystem provably secure against adaptive chosen ciphertext attack.In Krawczyk, H., editor, Advances in Cryptology—CRYPTO '98, volume 1642of Lecture Notes in Computer Science, pages 13-25, Berlin. SpringerVerlag.

[0314] Cramer, R. and Shoup, V. (1999). Signature schemes based on thestrong rsa assumption. In Proc. 6th ACM Conference on Computer andCommunications Security, pages 46-52. ACM press.

[0315] ElGamal, T. (1985). A public key cryptosystem and a signaturescheme based on discrete log-arithms. In Blakley, G. R. and Chaum, D.,editors, Advances in Cryptology—CRYPTO '84, volume 196 of Lecture Notesin Computer Science, pages 10-18. Springer Veriag.

[0316] Fiat, A. and Shamir, A. (1987). How to prove yourself: Practicalsolution to identification and signature problems. In Odlyzko, A. M.,editor, Advances in Cryptology—CRYPTO '86, volume 263 of Lecture Notesin Computer Science, pages 186-194. Springer Verlag.

[0317] Fujisaki, E. and Okamoto, T. (1997). Statistical zero knowledgeprotocols to prove modular polynomial relations. In Kaliski, B., editor,Advances in Cryptology—CRYPTO '97, volume 1294 of Lecture Notes inComputer Science, pages 16-30. Springer Verlag.

[0318] Fujisaki, E. and Okamoto, T. (1998). A practical and provablysecure scheme for publicly verifiable secret sharing and itsapplications. In Nyberg, K., editor, Advances in Cryptology—EUROCRYPT'98, volume 1403 of Lecture Notes in Computer Science, pages 32-46.Springer Verlag.

[0319] Gennaro, R., Halevi, S., and Rabin, T. (1999). Securehash-and-sign signatures without the random oracle. In Stern, J.,editor, Advances in Cryptology—EUROCRYPT '99, volume 1592 of LectureNotes in Computer Science, pages 123-139. Springer Verlag.

[0320] Pointcheval, D. (1996). Les Preuses de Connaissance et leursPreuves de Sécurité. PhD thesis, Université de Caen.

[0321] Schnorr, C. P. (1991). Efficient signature generation for smartcards. Journal of Cryptology, 4(3):239-252.

1. A method for establishing a pseudonym system by having a certificateauthority accepting a user as a new participant in said pseudonymsystem, the method comprising the steps of: receiving a first public keyprovided by said user; verifying that said user is allowed to join thesystem; computing a credential by signing the first public key using asecret key owned by said certificate authority; publishing said firstpublic key and said credential.
 2. The method according to claim 1,wherein the step of receiving a first public key further includesreceiving an external public key being registered for said user with anexternal public key infrastructure and receiving an encryption of asecret key encrypted by using said first public key; the step ofverifying that said user is allowed to join the system further includesverifying that said external public key is indeed registered with saidexternal public key infrastructure; the step of publishing said firstpublic key and said credential comprises publishing said encryption andthe name of the external public key infrastructure; and additionallycomprises the step of proving that the secret key corresponding to saidexternal public key is encrypted in said received encryption.
 3. Themethod according to claim 2, wherein said first public key of the useris derived from at least one first secret key composed by the user. 4.The method according to claim 3, wherein the step of receiving a firstpublic key derived from a first secret key further comprises receiving asecond public key which is derived from a second and a third secret keycomposed by the user; and the step of computing a credential by signingthe first public key using a secret key owned by said certificateauthority further comprises computing a credential by signing the secondpublic key using said secret key owned by said certificate authority. 5.A method for establishing a pseudonym system by having an organizationregister a user, the method comprising the steps of: receiving a firstpublic key provided by said user; receiving a first encryption encryptedby using said first public key; proving that an existing public key isregistered for said user with another organization of said pseudonymsystem and proving that the secret key corresponding to said existingpublic key is encrypted in said received first encryption; publishingsaid first public key, said first encryption and the name of said otherorganization.
 6. The method according to claim 5, wherein proving thatan existing public key is registered for said user with said otherorganization of said pseudonym system and proving that the secret keycorresponding to said existing public key is encrypted in said receivedfirst encryption includes proving possession of a credential issued bysaid organization of said existing public key.
 7. The method accordingto claim 6, wherein the step of receiving a first encryption encryptedby using said first public key further comprises receiving a secondencryption encrypted by using said existing public key; the step ofproving that the secret key corresponding to said existing public key isencrypted in said received first encryption further comprises provingthat the secret key corresponding to said first public key is encryptedin said received second encryption; and the step of publishing saidfirst public key, said first encryption, and the name of said otherorganization further comprises publishing said second encryption.
 8. Themethod according to claim 7, wherein the step of receiving a firstencryption encrypted by using said first public key further comprisesreceiving a third encryption encrypted by using a public key publishedby a revocation manager; and the step of proving that the secret keycorresponding to said existing public key is encrypted in said receivedfirst encryption further comprises proving that said existing public keyis encrypted in said received third encryption.
 9. The method accordingto claim 8, wherein the first public key of the user is derived from atleast two secret keys composed by the user.
 10. The method according toclaim 9, wherein the step of proving that the secret key correspondingto said first public key is encrypted in said received second encryptionincludes proving that all of said at least two secret keys correspondingto said first public key are encrypted in said second encryption. 11.The method according to claim 10, further comprising a step of provingthat the first public key is derived from at least two secret keys andproving that one of the secret keys is identical to one of the secretkeys used to derive another public key from which the user claims it isregistered with another organization.
 12. The method according to claim11, wherein the existing public key of the user is derived from at leasttwo secret keys composed by the user.
 13. The method according to claim12, wherein the step of proving that the secret key corresponding tosaid existing public key is encrypted in said received first encryptionincludes proving that all of said at least two secret keys correspondingto said existing public key are encrypted in said first encryption. 14.The method according to claim 13, further comprising the steps ofreceiving a third public key provided by said user; proving that onesecret key used to derive said third public key is identical to onesecret key used to derive said existing public key from which the userclaims it is registered with a specified organization.
 15. The methodaccording to claim 14, further comprising the step of: computing acredential by signing the first public key using a secret key owned bysaid organization; and wherein the step of publishing said first publickey, said first encryption and the name of said other organizationfurther comprises publishing said certificate.
 16. The method accordingto claim 15, wherein the step of receiving a first public key derivedfrom a first secret key further comprises receiving a second public keywhich is derived from a second and a third secret key composed by theuser; and the step of computing a credential by signing the first publickey using a secret key owned by said certificate authority furthercomprises computing a credential by signing the first and second publickey using said secret key owned by said certificate authority.
 17. Amethod for having a verifier checking possession of a credential by auser issued by a specified organization, the method comprising the stepsof: proving that an existing public key is registered for said user withsaid specified organization of said pseudonym system.
 18. The methodaccording to claim 17, wherein the step of proving that an existingpublic key is registered for said user with said specified organizationof said pseudonym system includes proving possession of a credentialissued by said organization of said existing public key.
 19. The methodaccording to claim 18, further comprising the steps of receiving a thirdencryption encrypted by using a public key published by a revocationmanager; and proving that said existing public key is encrypted in saidreceived third encryption.
 20. The method according to claim 19, furthercomprising the steps of: receiving a third public key provided by saiduser; proving that one secret key used to derive said third public keyis identical to one secret key used to derive said existing public keyfrom which the user claims it is registered with said specifiedorganization.
 21. A method for having a revocation manager revealing apseudonym or the identity of a user, the method comprising the steps of:receiving a request from an organization for revealing a pseudonym orthe identity of a user; judging whether it is justified to reveal thepseudonym or the identity of the user; and sending the pseudonym or theidentity of the user to the requesting organization, in case that thisis justified.
 22. A computer program product stored on a computer usablemedium, comprising computer readable program means for causing acomputer to perform a method according to claim 1.